Today, the world’s a different place, but tank games remain popular. Modern iterations offer gamers not just the thrill of gameplay but also the chance to earn NFTs. Cybercriminals too have something to offer: a sophisticated attack targeting crypto-gaming enthusiasts.

Backdoor and zero-day exploit in Google Chrome

This story begins in February 2024, when our security solution detected the Manuscrypt backdoor on a user’s computer in Russia. We’re very familiar with this backdoor; various versions of it have been used by the Lazarus APT group since at least 2013. So, given we already know the main tool and methods used by the attackers — what’s so special about this particular incident?

The thing is that these hackers typically target large organizations like banks, IT companies, universities, and even government agencies. But this time, Lazarus hit an individual user, planting a backdoor on a personal computer! The cybercriminals lured the victim to a game site and thereby gained complete access to their system. Three things made this possible:

• The victim’s irresistible desire to play their favorite tank game in a new format
• A zero-day vulnerability in Google Chrome
• An exploit that allowed remote code execution in the Google Chrome process

Before you start to worry, relax: Google has since released a browser update, blocked the tank game’s website, and thanked the Kaspersky security researchers. But just in case, our products detect both the Manuscrypt backdoor and the exploit. We’ve delved into the details of this story on the Securelist blog.

Fake accounts

At the start of the investigation, we thought the group had gone to extraordinary lengths this time: “Did they actually create an entire game just for a scam?” But we soon worked out what they’d really done. The cybercriminals based their game — DeTankZone — on the existing game DeFiTankLand. They really went all out, stealing the source code of DeFiTankLand and creating fake social media accounts for their counterfeit.

Around the same time, in March 2024, the price of the DefitankLand (sic) cryptocurrency plummeted — the developers of the original game announced that their cold wallet had been hacked, and “someone” had stolen $20,000. The identity of this “someone” remains a mystery. The developers believe it was an insider, but we suspect that the ever-present tentacles of Lazarus are involved.

Differences between the fake and the original are minimal

The cybercriminals orchestrated a full-blown promotion campaign for their game: they boosted follower counts on X (formerly Twitter), sent collaboration offers to hundreds of cryptocurrency influencers (also potential victims), created premium LinkedIn accounts, and organized waves of phishing emails. As a result, the fake game got even more traction than the original (6000 followers on X, versus 5000 for the original game’s account).

Social media content created by AI with the help of graphic designers

How we played tanks

Now for the most fun part…

The malicious site that Lazarus lured their victims to offered a chance, not only to “try out” a zero-day browser exploit, but also to play a beta version of the game. Now, here at Kaspersky, we respect the classics, so we couldn’t resist having a go on this promising new version. We downloaded an archive that seemed completely legitimate: 400MB in size, correct file structure, logos, UI elements, and 3D model textures. Boot her up!

The DeTankZone start menu greeted us with a prompt to enter an email address and password. We first tried logging in using common passwords like “12345” and “password” but that doesn’t work. “Fine, then”, we think. “We’ll just register a new account”. Again, no luck — the system wouldn’t let us play.

The start menu inspires confidence with a seemingly legitimate login form

So why were there 3D model textures and other files in the game archive? Could they really have been other components of the malware? Actually, it wasn’t that bad. We reverse-engineered the code and discovered elements responsible for the connection to the game server — which, for this fake version, was non-functional. So, in theory, the game was still playable. A bit of time spent, a little programming, and voilà — we replace the hackers’ server with our own, and the red tank “Boris” enters the arena.

The game reminded us of shareware games from 20 years ago — which made all the effort worthwhile

Lessons from this attack

The key takeaway here is that even seemingly harmless web links can end up with your entire computer being hijacked. Cybercriminals are constantly refining their tactics and methods. Lazarus is already using generative AI with some success, meaning we can expect even more sophisticated attacks involving it in the future.

Security solutions are also evolving with effective integration of AI — learn more here and here. All ordinary internet users have to do is make sure their devices are protected, and stay informed about the latest scams. Fortunately, the Kaspersky Daily blog makes this easy — subscribe to stay updated…

But in today’s world, can Tor truly provide complete anonymity? And if it doesn’t, should we just forget all about anonymity and rely on a regular browser like Google Chrome?

How Tor users are deanonymized

If Tor is new to you, check out our vintage article from way back when. There, we answered some common questions: how the browser ensures anonymity, who needs it, and what people usually do on the dark web. In brief, Tor anonymizes user traffic through a distributed network of servers, called nodes. All network traffic is repeatedly encrypted as it passes through a number of nodes between two communicating computers. No single node knows both the origin and destination addresses of a data packet, nor can it access the packet’s content. OK, short digression over — now let’s turn to the real security threats facing anonymity enthusiasts.

In September, German intelligence services identified a Tor user. How did they do it? The key to their success was data obtained through what’s called “timing analysis”.

How does this analysis work? Law enforcement agencies monitor Tor exit nodes (the final nodes in the chains that send traffic to its destination). The more Tor nodes the authorities monitor, the greater the chance a user hiding their connection will use one of those monitored nodes. Then, by timing individual data packets and correlating this information with ISP data, law enforcement can trace anonymous connections back to the end Tor user — even though all Tor traffic is encrypted multiple times.

The operation described above, which led to the arrest of the administrator of a child sexual abuse platform, was possible partly because Germany hosts the highest number of Tor exit nodes — around 700. The Netherlands ranks second with about 400, and the US comes in third with around 350. Other countries have anywhere from a few to a few dozen. International cooperation among these top exit-node countries played a significant role in deanonymizing the child sexual abuse offender. Logically, the more nodes a country has, the more of them can be state-monitored, increasing the likelihood of catching criminals.

Germany and the Netherlands are among the leaders on the number of Tor exit nodes — not only in Europe but worldwide. Source

The Tor Project responded with a blog post discussing the safety of their browser. It concludes that it’s still safe: the de-anonymized individual was a criminal (why else would authorities be interested?), using an outdated version of Tor and the Ricochet messaging app. However, Tor noted it wasn’t given access to the case files, so their interpretation regarding the security of their own browser might not be definitive.

This kind of story isn’t new; the problem of timing attacks has long been known to the Tor Project, intelligence agencies, and researchers. So although the attack method is well-known, it remains possible, and most likely, more criminals will be identified through timing analysis in the future. However, this method isn’t the only one: in 2015, our experts conducted extensive research detailing other ways to attack Tor users. Even if some of these methods have become outdated in the forms presented in that study, the principles of these attacks remain unchanged.

“Generally it is impossible to have perfect anonymity, even with Tor”.

This phrase opens the “Am I totally anonymous if I use Tor?” section of the Tor Browser support page. Here, the developers provide tips, but these tips can at best only increase the chances of remaining anonymous:

• Control what information you provide through web forms. Users are advised against logging in to personal accounts on social networks, as well as posting their real names, email addresses, phone numbers, and other similar information on forums.
• Don’t torrent over Tor. Torrent programs often bypass proxy settings and prefer direct connections, which can de-anonymize all traffic — including Tor.
• Don’t enable or install browser plugins. This advice also applies to regular browsers, as there are many dangerous extensions out there.
• Use HTTPS versions of websites. This recommendation, incidentally, applies to all internet users.
• Don’t open documents downloaded through Tor while online. Such documents, the Tor Project warns, may contain malicious exploits.

With all these recommendations, the Tor Project is essentially issuing a disclaimer: “Our browser is anonymous, but if you misuse it, you may still be exposed”. And this actually makes sense — your level of anonymity online depends primarily on your actions as a user — not solely on the technical capabilities of the browser or any other tool.

There is another interesting section on the Tor support page: “What attacks remain against onion routing?” It specifically mentions possible attacks using timing analysis with the note that “Tor does not defend against such a threat model”. However, in a post about the German user’s de-anonymization, the developers claim that an add-on called Vanguard, designed to protect against timing attacks, has been included in Tor Browser since 2018, and in Ricochet-Refresh since June 2022. This discrepancy suggests one of two things: either the Tor Project hasn’t updated its documentation, or it’s being somewhat disingenuous. Both are problematic because they can mislead users.

So what about anonymity?

It’s important to remember that Tor Browser can’t guarantee 100% anonymity. At the same time, switching to other tools built on a similar distributed node network structure is pointless, as they are equally vulnerable to timing attacks.

If you’re a law-abiding individual using anonymous browsing simply to avoid intrusive contextual ads, secretly shop for gifts for loved ones, and for other similarly harmless purposes, the private browsing mode in any regular browser will probably suffice. This mode, of course, doesn’t offer the same level of anonymity as Tor and its counterparts, but it can make surfing the net a bit more… well, private. Just make sure you fully understand how this mode works in different browsers, and what it can and can’t protect you from.

In addition, all of our home security solutions include Private Browsing. By default, this feature detects attempts to collect data and logs them in a report but doesn’t block them. To block data collection, you need to either enable Block data collection in the Kaspersky app or activate the Kaspersky Protection plugin directly in the browser.

Besides this, our protection can also block ads, prevent the hidden installation of unwanted apps, detect and remove stalkerware and adware, and remove traces of your activity in the operating system. Meanwhile, the special component Safe Money provides maximum protection for all financial operations by conducting them in a protected browser in an isolated environment and preventing other apps from gaining unauthorized access to the clipboard or taking screenshots.

Double VPN

You can also stay anonymous on the internet using Kaspersky VPN Secure Connection that support Double VPN (also known as multi-hop). As the name suggests, this technology allows you to create a chain of two VPN servers in different parts of the world: your traffic first passes through an intermediary server, and then through another. Double VPN in Kaspersky VPN Secure Connection uses nested encryption — the encrypted tunnel between the client and the destination server runs inside a second encrypted tunnel between the client and the intermediary server. Encryption in both cases is only performed on the client side, and data is not decrypted on the intermediary server. This provides an additional layer of security and anonymity.

Double VPN is available to users of Windows and Mac versions of Kaspersky VPN Secure Connection. Before enabling Double VPN, make sure that the Catapult Hydra protocol is selected in the application settings: Main → Settings (gear icon) → Protocol → Select automatically, or Catapult Hydra.

After that, you can enable Double VPN:

1. Open the main application window.
2. Click the Location drop-down to open the list of locations of VPN servers.
3. Click the Double VPN
4. Select two locations and click Connect.

You can add your Double VPN server pair to Favorites by clicking the Add to Favorites button.

How to enable Double VPN in Kaspersky VPN Secure Connection

Congratulations! Now your traffic is encrypted more securely than usual — but remember that these traffic encryption methods are not intended for illegal activities. Double VPN will help you conceal personal information from data-gathering sites, avoid undesirable ads, and access resources unavailable in your current location.

Even organizations that aren’t strictly required to comply with NIST SP 800-63 would still benefit from familiarizing themselves with these updated guidelines, as they often serve as a blueprint for regulators in other countries and industries. The recent update, developed through four rounds of public revisions with industry experts, reflects the latest understanding of digital identification and authentication. It covers security and privacy requirements, and considers a possible distributed (federated) approach. The standard is practical, and factors in human considerations — how users respond to various authentication requirements.

This new edition formalizes concepts, and outlines requirements for:

• passkeys (referred to in the standard as “syncable authenticators”);
• phishing-resistant authentication;
• user storage of passwords and accesses (“attribute bundles”);
• regular re-authentication;
• session tokens.

So — how to authenticate users in 2024?

Password authentication

The standard defines three Authentication Assurance Levels (AALs). AAL1 allows the least restrictions and minimal confidence that the user is indeed who they claim to be, while AAL3 offers the strongest guarantees and requires more stringent authentication. Only AAL1 permits single-factor authentication — such as just a single password.

The requirements for passwords are as follows:

• Only centrally verified secrets sent by the user to the server over a secure channel qualify as passwords. Passwords that are stored and verified locally are termed “activation secrets” and have different requirements.
• Passwords shorter than eight characters are prohibited, with a minimum of 15 characters recommended.
• Scheduled, mandatory password rotation is considered an outdated practice and therefore prohibited.
• It’s also prohibited to impose requirements on password composition (such as “your password must contain a letter, a number, and a symbol”).
• It’s recommended to allow using any visible ASCII characters, spaces, and most Unicode symbols (such as emojis).
• Maximum password length, if enforced, must be at least 64 characters.
• Truncating passwords during verification is prohibited, but trimming leading/trailing whitespace is allowed if it interferes with authentication.
• Using and storing password hints or security questions (such as “your mother’s maiden name”) is prohibited.
• Commonly used passwords must be eliminated through the use of a stop-list of popular or leaked passwords.
• Compromised passwords (for example, appearing in data breaches) must be reset immediately.
• Login attempts must be limited in both rate and number of unsuccessful attempts.

Activation secrets

These are PINs and local passwords that restrict access to the on-device key storage. They can be numeric, with a recommended minimum length of six digits— though four digits are permissible. For AAL3, the primary cryptographic secret (for example, a passkey) must be stored in a tamper-resistant chip, and decrypted using the activation secret. For AAL1 and AAL2, it’s enough that the key restricts access from outsiders, with a limit on input attempts — no more than 10 tries. After exceeding the limit, the storage is locked, requiring an alternative authentication method.

Multi-factor authentication (MFA)

It’s recommended to implement MFA at all AAL levels, but while this is only a suggestion for AAL1, it’s mandatory for AAL2, and only phishing-resistant MFA methods are acceptable for AAL3.

Only cryptographic authentication methods are considered phishing-resistant: USB tokens, passkeys, and cryptographic keys stored in digital wallets conforming to SP 800-63C (distributed identification and authentication services). All cryptographic secrets must be stored in tamper-resistant systems (such as TPM or Secure Enclave). Synchronizing keys across devices and storing them in the cloud is permitted, provided each device meets the standard’s requirements. These provisions enable the use of passkeys across Android and iOS ecosystems.

To ensure resistance to phishing, authentication must be tied to the communication channel (channel binding) or verifier service name (verifier name binding). Examples of these approaches include client-authenticated TLS connections and the WebAuthn protocol from the FIDO2 specification. In simple terms, the client uses cryptography to confirm they’re connecting with the legitimate server rather than a fake one set up for AitM attacks.

Time-based one-time passwords (TOTP) from authenticator apps, SMS codes, and one-time codes from scratch cards or envelopes are not phishing-resistant but are permitted for AAL1 and AAL2 services. The standard specifies which methods for handling one-time codes don’t qualify as MFA and must be avoided. One-time codes should not be sent through email or VoIP — they must be delivered over a communication channel that’s separate from the primary authentication process. OTPs sent through SMS and traditional telephone lines are acceptable — even if both connections (for example, internet and SMS) are on the same device.

Use of biometrics

The standard restricts the use of biometrics — they may serve as an authentication factor, but are prohibited for identification. Biometric checks must be used only as a supplemental factor combined with proof of possession (for example, a smartphone or token — something you physically possess).

Biometric equipment and algorithms must ensure a false match rate (FMR) no greater than 1 in 10,000, and a false non-match rate (FNMR) no greater than 5%. These accuracy rates must be consistent across all demographics. The verification algorithm must also be resistant to presentation attacks in which the sensor is shown a photo or video instead of a live person.

After generating and verifying a cryptographic “fingerprint” from biometric data, the standard mandates immediate deletion (zeroing out) of collected biometric data.

Like other authentication methods, biometric checks must include limits on input rate and the number of unsuccessful attempts.

To avoid this, you need to configure both your smartphone in general and running apps in particular. You can find our instructions for the most popular running trackers via these links: Strava, Nike Run Club, MapMyRun, adidas Running.

Today, wrapping up our review of training-app privacy settings, we’ll explain how to properly configure ASICS Runkeeper (for both Android and iOS).

Like other major sportswear brands like Nike and adidas, the Japanese company ASICS, well-known for its running shoes, didn’t try to reinvent the wheel. Instead, it just acquired the popular running tracking app Runkeeper, and didn’t even rename it — simply adding its brand name to give us ASICS Runkeeper.

The privacy settings in ASICS Runkeeper — like in the other running apps — are not so easy to find. If you click on the gear icon in the upper left corner of the main screen, you won’t find them there — those are activity settings. Instead, click Me in the lower left corner, then click the gear icon in the upper right corner, and on the next page, select Privacy Settings.

Where to find privacy settings in ASICS Runkeeper: Me → Settings → Privacy Settings

These settings are basic — there are only three items on the page. The key thing to do here is to make sure the switch next to Public Account is turned off. I also recommend going into the Maps and Activities sections and changing the visibility from Followers to Only Me (in Runkeeper, the Everyone option appears only for public accounts).

ASICS Runkeeper’s privacy settings are quite minimal

It’s also a good idea to adjust the types of notifications ASICS Runkeeper can send you (there are many in the settings) by going back to Settings and choosing Push Notifications. Next to that option, there’s an Email Notifications section where you can turn off email notifications from the app.

Finally, if you decide to stop using Runkeeper, don’t forget to delete your data from the app. You can do this by going to Settings → Account Settings → Delete Account. You can also download your data before deleting it.

If you use other tracking apps for your workouts, you can configure their privacy settings using our guides:

• Strava
• Nike Run Club
• MapMyRun
• adidas Running

To learn how to configure privacy in other apps — from social networks to browsers — visit our website Privacy Checker.

And Kaspersky Premium will maximize your privacy protection and prevent digital identity theft across all your devices.

Don’t forget to subscribe to our blog to get more instructions and useful articles so that scammers will always… eat your dust.

Modern attackers are increasingly paying attention to containerization infrastructure, which is where rather dangerous vulnerabilities are sometimes found. For example, our May report on exploits and vulnerabilities describes the CVE-2024-21626 vulnerability, which allows for a container escape. That’s why in our Q3 2024 SIEM system update, among the rules for identifying atypical behavior that may indicate attacker activity at the initial data collection stage, we’ve added detection rules that catch (i) attempts to collect data on the containerization infrastructure, and (ii) traces of various attempts to manipulate the containerization system itself.

This was done by adding detection rules R231, R433, and R434, which are already available to Kaspersky Unified Monitoring and Analysis Platform users through the rule update system. In particular, they’re used to detect and correlate the following events:

• access to credentials inside a container;
• launching a container on a non-container system;
• launching a container with excessive privileges;
• launching a container with access to host resources;
• collecting information about containers using standard tools;
• searching for weak spots in containers using standard tools;
• searching for security vulnerabilities in containers using special utilities.

Considering the above-described update, there are now more than 659 rules available on the platform, including 525 rules with direct detection logic.

We continue to align our detection rules with the Enterprise Matrix MITRE ATT&CK Knowledge Base, which today describes 201 techniques, 424 sub-techniques, and thousands of procedures. As of today our solution covers 344 MITRE ATT&CK techniques and sub-techniques.

In addition, we’ve improved many old rules by correcting or adjusting conditions – for example, to reduce the number of false positives.

New and improved normalizers

In the latest update, we’ve also added to our SIEM system normalizers that allow you to work with the following event sources:

• [OOTB] OpenLDAP
• [OOTB] Avaya Aura Communication Manager syslog
• [OOTB] Orion soft Termit syslog
• [OOTB] Postfix
• [OOTB] Barracuda Web Security Gateway syslog
• [OOTB] Parsec ParsecNET
• [OOTB] NetApp SnapCenter file
• [OOTB] CommuniGate Pro
• [OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog
• [OOTB] Yandex Cloud
• [OOTB] Barracuda Cloud Email Security Gateway syslog

Our experts have also improved normalizers for these sources:

• [OOTB] Yandex Browser
• [OOTB] Citrix NetScaler syslog
• [OOTB] KSC from SQL
• [OOTB] Microsoft Products for KUMA 3
• [OOTB] Gardatech Perimeter syslog
• [OOTB] KSC PostgreSQL
• [OOTB] Linux auditd syslog for KUMA 3.2
• [OOTB] Microsoft Products via KES WIN
• [OOTB] PostgreSQL pgAudit syslog
• [OOTB] ViPNet TIAS syslog

You can find the full list of supported event sources in the Kaspersky Unified Monitoring and Analysis Platform version 3.2 in the technical support section of our web site, where you can also get more information about correlation rules. We’ll continue to write about improvements to our SIEM system in future posts that can be found via the SIEM tag.

Recently, a new scheme has emerged in which hackers infect developers’ computers with a backdoored script disguised as a coding test. This isn’t an isolated incident, but just the latest iteration of a well-established tactic. Hackers have been using fake job offers to target IT specialists for years — and in some cases with staggering success.

You might think that the consequences should remain the particular individual’s problem. However, in today’s world, it’s highly likely that the developer uses the same computer for both their main work and the coding test for the new role. As a result, not only personal but also corporate data may be at risk.

Fake job posting, crypto game, and a $540 million heist

One of the most notorious cases of fake job ads used for malicious purposes was witnessed in 2022. Hackers managed to contact (likely through LinkedIn) a senior engineer at Sky Mavis, the company behind the crypto game Axie Infinity, and offer him a high-paying position.

Enticed by the offer, the employee diligently went through several stages of the interview set up by the hackers. Naturally, it all culminated in a “job offer”, sent as a PDF file.

The document was infected. When the Sky Mavis employee downloaded and opened it, spyware infiltrated the company’s network. After scanning the company’s infrastructure, the hackers managed to obtain the private keys of five validators on Axie Infinity’s internal blockchain — Ronin. With these keys they gained complete control over the cryptocurrency assets stored in the company’s wallets.

This resulted in one of the largest crypto heists of the century. The hackers managed to steal 173,600 ETH and 25,500,000 USDC, which was worth approximately $540 million at the time of the heist.

More fake job postings, more malware

In 2023, several large-scale campaigns were uncovered in which fake job offers were used to infect developers, media employees, and even cybersecurity specialists (!) with spyware.

One attack scenario goes like this: someone posing as a recruiter from a major tech company contacts the target through LinkedIn. After some back-and-forth, the target receives an “exciting job opportunity”.

However, to land the job, they must demonstrate their coding skills by completing a test. The test arrives in executables within ISO files downloaded from a provided link. Running these executables infects the victim’s computer with the NickelLoader malware, which then installs one of two backdoors: either miniBlindingCan or LightlessCan.

In another scenario, attackers posing as recruiters initiate contact with the victim on LinkedIn, but then smoothly transition the conversation to WhatsApp. Eventually they send a Microsoft Word file with the job description. As you might guess, this file contains a malicious macro that installs the PlankWalk backdoor on the victim’s computer.

Yet another variation of the attack targeting Linux users featured a malicious archive titled “HSBC job offer.pdf.zip”. Inside the archive was an executable file disguised as a PDF document. Interestingly, in this case, to mask the file’s true extension, the attackers used an exotic symbol: the so-called one dot leader (U+2024). This symbol looks like a regular period to the human eye but is read as a completely different character by the computer.

Once opened, this executable displays a fake PDF job description while, in the background, launching the OdicLoader malware, which installs the SimplexTea backdoor on the victim’s computer.

Fake coding test with a Trojan on GitHub

A recently discovered variation of the fake job attack starts similarly. Attackers contact an employee of the target company pretending to be recruiters seeking developers.

When it comes to the interview, the victim is asked to complete a coding test. However, unlike the previous variations, instead of sending the file directly, the criminals direct the developer to a GitHub repository where it is stored. The file itself is a ZIP archive containing a seemingly innocuous Node.js project.

However, one component of this project contains an unusually long string, specially formatted to be overlooked when scrolling quickly. This string holds the hidden danger: heavily obfuscated code that forms the first stage of the attack.

When the victim runs the malicious project, this code downloads, unpacks, and executes the code for the next stage. This next stage is a Python file without an extension, with a dot at the beginning of the filename signaling to the OS that the file is hidden. This script launches the next step in the attack — another Python script containing the backdoor code.

Thus, the victim’s computer ends up with malware that can maintain continuous communication with the command-and-control server, execute file system commands to locate and steal sensitive information, download additional malware, steal clipboard data, log keystrokes, and send the collected data to the attackers.

As with the other variations of this scheme, the hackers count on the victim using their work computer to complete the “interview” and run the “test”. This allows the hackers to access the infrastructure of the target company. Their subsequent actions can vary, as history shows: from trojanizing software developed by the victim’s company to direct theft of funds from the organization’s accounts, as seen in the Sky Mavis case mentioned at the beginning of this article.

How to protect yourself

As we noted above, there’s currently no bulletproof defense against social engineering. Virtually anyone can be vulnerable if the attacker finds the right approach. However, you can make the task significantly more challenging for attackers:

• Raise awareness among employees — including developers — about cyberthreats through specialized training. Setting up such training is simple with our automated educational platform, Kaspersky Automated Security Awareness Platform.
• Use a reliable security solution on all corporate devices.
• If internal resources and expertise are limited, consider using an external service like Kaspersky Managed Detection and Response.

Our research* indicates the average subscriber globally spends $938 annually on 12 subscriptions. Leading the pack are US residents — averaging 18 subscriptions totaling $2349 per year. Brazilians, Indians, and Russians average around 10 subscriptions — costing them $732 annually. Turks get the best deal, spending just $478 for 12 subscriptions.

Why such a disparity? The average cost of a single subscription in the US, Germany, and the UK ($12/month) is three times higher than in Russia ($4/month).

The average annual spend on subscriptions is comparable to a month’s salary

The US government has even taken notice of this subscription management conundrum, recently announcing an initiative to simplify canceling unwanted services. But how did these subscriptions come to permeate every aspect of our lives?

The rise of subscription services

Historically, subscriptions have been a niche market since at least the 17^th  century — when people could pay a monthly fee for regular publications like newspapers, magazines, or book collection volumes. Even daily milk delivery — common in some countries since the mid-19^th century — could be considered a subscription of sorts.

Cable television — offering hundreds of channels packed with movies, series and shows — reigned supreme as the most popular subscription of the late 20^th century. When Netflix arrived, it didn’t need to reinvent the wheel — the audience was already primed.

Dollar Shave Club pioneered applying this business model to everyday goods. Since 2011, it’s delivered monthly shaving kits at prices significantly lower than retail. The company received 12,000 orders within the first 48 hours of its launch.

Over the past decade, subscriptions have expanded to encompass practically everything — from weekly meal kits and daily fresh socks to… monthly deliveries of real animal bones for collectors and accessories for backyard chicken farmers.

Among the strangest subscriptions are cooking kits with recipes and vinyl records, and even houseplants — delivered monthly

Subscriptions weren’t initially popular in the software world. Most applications were sold in beautiful boxes, on floppy disks or CDs, requiring a hefty one-off payment. But once purchased, you could use the application indefinitely. The few exceptions to this rule were applications needing frequent updates, such as antivirus software, which adopted the subscription model back in the 1990s.

Subscriptions began to penetrate the software sphere with the rise of cloud services, which store user data on the providers’ servers: Dropbox, web hosting, and so on. Here, recurring payments made sense. However, software companies then realized that recurring payments ultimately generate more revenue than one-time purchases. As a result, they started shoehorning the subscription model onto services that didn’t inherently require regular updates or ongoing vendor involvement. Today, you can subscribe to traditionally “boxed” products like office suites, as well as gaming services, music services, and much more. There are even blatantly exploitative offers like a subscription-based calculator.

“Multi-subscriptions” bundling various services under a single payment are gaining traction. Sometimes these services are at least related — like Microsoft 360, but there are also more complex hybrids like Amazon Prime, which combines free shipping, movies, music, games, discounts on groceries, fuel, medications, and much more. Seemingly convenient, it makes evaluating and managing these subscriptions even more complex.

The most popular subscriptions worldwide

The number of subscriptions per person will likely continue to rise as the vast majority of new software products are released exclusively under a subscription model. Subscription prices are also steadily increasing — over the past two years, the cost of some subscriptions has increased by nearly a third. That’s why subscriptions need to be monitored carefully.

Why managing subscriptions is difficult

With subscriptions so ubiquitous, managing them becomes another basic healthy habit akin to daily exercise or meticulously tracking finances. Not everyone is up to the task. Several technical and psychological factors make it easier to let subscriptions run wild than to actively manage them.

Forgetting to unsubscribe. The very thing that attracts app and service creators to subscriptions is a drawback for customers. It’s not often that people decisively tell themselves, “I’m done with this service!” They typically just use it less and less, eventually forgetting about it for months. Meanwhile, the charges continue. According to various sources, users spend from £39 to $133 monthly on unused subscriptions.

Accumulated data. Migrating data accumulated within a service can be a major hassle. Even after deciding to unsubscribe, people continue paying to avoid losing their data. Sometimes the need for migration dawns just days before renewal, leading users to pay for another year just to buy time for data export.

Duplicate features. For example, subscribing to both Microsoft 365 and Dropbox essentially results in paying twice for cloud storage, as Microsoft 365 includes a direct alternative to Dropbox called OneDrive.

Duplicate subscriptions. Confusing interfaces or poor communication between family members can lead to multiple subscriptions for the same service. Different devices may have different accounts for the same service — each incurring separate charges.

Difficult cancellation process. Some services make unsubscribing incredibly complicated, so frustrated users keep putting it off. As a result, subscriptions can linger around for months or even years, completely unused — but paid for. That’s why the US government decided to step in to streamline cancellation, requiring companies to make it just as simple as subscribing and to make contacting a live support agent easier.

How to get your subscriptions under control

One way to organize your digital life in a subscription-driven world is to cultivate the good habit of diligently documenting your household’s subscriptions as soon as they’re activated and periodically making sure they’re still in use. Even more critical is analyzing every service before subscribing. Will you really be using it regularly? Is pay-as-you-go, or even better, a one-time purchase available? Service and app providers tend to loudly advertise subscription options on their websites while burying alternative payment options like one-time purchases. If you can’t find them, a site-specific Google search may help — just be sure you’re purchasing legitimate software from the official website and not malware from a fake site.

When it comes to “subscription accounting”, the dedicated subscription management service SubsCrab can help. It keeps track of all your subscriptions and sends advance notifications about upcoming payments and subscription expirations. The hardest (and most tedious) part of keeping track of subscriptions is recording them immediately, but SubsCrab can help with this, too. You can connect it to your mailbox, and in some countries to incoming bank statements, and it will automatically scan these sources to detect new subscriptions. This way, all your services will gradually be accounted for, including forgotten ones — and unexpected bank charges reduced. Additionally, SubsCrab lets you manually add other recurring payments, like a mortgage. For more details on the features and settings of SubsCrab, check our review.

Make sure to let your family members know about the new system, and regularly review your subscriptions to cancel those that are no longer needed. Before renewing a subscription, be sure to check the SubsCrab app — it tracks special offers and promo codes, helping you make significant savings on renewals.

* Statistics are based on anonymized data from SubsCrab users (over 150,000 users worldwide, excluding China, from January 2023 to August 2024). This may not reflect the entire market but is representative of a certain audience of users who actively track their subscriptions.

Overly connected cars

If you think about it, in the last couple of decades, cars have essentially become big computers on wheels. Even the less “smart” models are packed with electronics and equipped with a range of sensors — from sonars and cameras to motion detectors and GPS.

And not only that; in recent years, these computers have been constantly connected to the internet — with all the ensuing risks. Not long ago, we wrote about how today’s cars collect huge amounts of data about their owners and send it to the manufacturer. Moreover, the manufacturers also sell this collected data to other companies — particularly insurers.

However, there’s another side to this issue: being constantly connected to the internet means that, if there are vulnerabilities — either in the car itself or in the cloud system it communicates with — someone could exploit them to hack the system and track the car’s owner without the manufacturer even knowing.

The so-called “head unit” of a car is just the tip of the iceberg; in fact, today’s cars are stuffed with electronics

One bug to rule them all, one bug to find them

This is exactly what happened in this case. Researchers found a vulnerability in Kia’s web portal, which is used by Kia owners and dealers. It turned out that by using the API, the portal allowed anyone to register as a car dealer with just a few fairly simple moves.

The Kia portal in which a serious vulnerability was discovered. Source

This gave the attacker access to features that even car dealers shouldn’t have — at least, not once the vehicle has been handed over to the customer. Specifically, the portal permits first finding any Kia car, and then accessing the owner’s data (name, phone number, email address, and even physical address) — all with just the vehicle’s VIN number.

It should be noted that VIN numbers aren’t exactly secret information — in some countries, they’re publicly available. For instance, in the USA there are many online services you can use to look up a VIN number using a car’s license plate number.

A general scheme of the Kia web portal attack, allowing control over any car using its VIN number. Source

After successfully finding the car, the attacker can use the owner’s data to register any attacker-controlled account in Kia’s system as a new user for the vehicle. From there, the attacker would gain access to various functions normally available to the car’s actual owner through the mobile app.

What’s particularly interesting is that all these features weren’t just available to the dealer who sold that car, but to any dealer registered in Kia’s system.

Hacking a car in seconds

The researchers then developed an experimental app that could take control of any Kia vehicle within seconds simply by entering its license plate number into the input fields. The app would automatically find the car’s VIN through the relevant service and use it to register the vehicle to the researchers’ account.

The researchers even created a handy app to simplify hacking — all you need is the Kia car’s license plate number. Source

After that, a single button press in the app would allow the attacker to obtain the vehicle’s current coordinates, lock or unlock the doors, start or stop the engine, or honk the horn.

The app could be used to obtain the hacked car’s coordinates and send commands. Source

It’s important to note that in most cases these functions wouldn’t be enough to steal the car. Modern models are usually equipped with immobilizers, which require the physical presence of the key to be disabled. There are some exceptions, but generally these are the cheapest cars that are unlikely to be of much interest to thieves.

Nevertheless, this vulnerability could easily be used to track the car owner, steal valuables left inside the car (or plant something there), or simply disrupt the driver’s life with unexpected actions from the vehicle.

The researchers followed responsible disclosure protocol, informing the manufacturer of the issue and only publishing their findings after Kia fixed the bug. However, they note that they’ve found similar vulnerabilities before and are confident they’ll continue to discover more in the future.

If you care even in the slightest about your privacy, check out our previously published guides for general smartphone settings and other popular fitness apps: Strava, Nike Run Club, and MapMyRun. Today’s post is for all fans of the famous three stripes: we’ll be setting up privacy in the adidas Running app (available for Android and iOS).

Formerly known as Runtastic, this fitness app now belongs to Europe’s largest sportswear manufacturer and is simply called adidas Running. While adidas Running doesn’t offer as granular privacy controls as, say, Strava, it’s still crucial to make sure everything is configured correctly.

To access the privacy settings in adidas Running, tap Profile in the bottom right corner, then the cog icon in the top right, then select Privacy.

Where to find the privacy settings in adidas Running (Runtastic): Profile → Settings → Privacy

The first thing you’ll want to check is the Maps section (who can see your maps) — make sure it’s set to either Followers or, even better, Only me.

Next, do the same for Activity (who can see your activity) — again, select either Followers or Only me. The remaining settings are slightly less critical, but it’s still a good idea to ensure they’re also set to at least Followers or, ideally, Only me.

Recommended privacy settings in adidas Running (Runtastic)

I also recommend toggling off the switches at the bottom of the page next to Follower suggestions and Join running leaderboard. The app won’t be bothering you as much.

Finally, consider disabling excessive notifications from adidas Running. Go back to Settings, select Notifications, and go through the (rather extensive) list of options.

If you decide to stop using adidas Running altogether, remember to delete your profile data. To do this, go to Settings → Account, tap the big red Delete account button, and follow the prompts.

If you use other fitness apps to track your workouts, you can set their privacy settings using our guides:

• Strava
• Nike Run Club
• MapMyRun
• ASICS Runkeeper

You can also learn how to configure privacy in other apps — from social networks to browsers — on our website Privacy Checker.

And Kaspersky Premium will maximize your privacy protection and shield you from digital identity theft on all your devices.

Don’t forget to subscribe to our blog to stay ahead of scammers with more guides and helpful articles.

Whether you should share your confidential data in this way or not is a personal decision. We’ve laid out all the pros and cons, and prepared tips on how to protect yourself if you do need to take such a selfie.

Should you take a selfie with your documents?

Without an “ID selfie”, you may not be able to install certain banking apps, register for services like car sharing, or quickly apply for a loan. The choice here is very straightforward.

Want to use these services? Take a photo. Worried about the security of your data? Don’t take a photo. But then, for example, you won’t be able to make a bank transfer, rent a car quickly, or solve your financial issues with an instant loan. The stakes are obvious: either you gain access to these services, or your prioritize your own safety.

A common argument from those who choose to take ID selfies is that their data has already been leaked multiple times, so they’re not afraid of potential security risks. Well, if you’re dishing out the ID card selfies left and right, using the same password like “12345” across all accounts for years, it’s likely that your data has already been compromised.

To know for certain whether your data has been leaked or not, use our protection, and in the Data Leak Checker section, provide all the email addresses that you (or your loved ones) may have used to register for online services. Users of Kaspersky Premium can also check their phone numbers in the Identity Theft Check section. Then, our app will automatically search for data leaks in the background, notify you if any are found, and advise what needs to be done in each case.

What could go wrong?

Unfortunately, with rare exceptions, we can almost never know how companies actually store and process our data. Normally, all that users get to hear about their personal data is that its security is taken very seriously and therefore it’s stored very carefully. You’ll agree that this kind of messaging doesn’t inspire much confidence — especially when it’s not backed up by anything except a privacy policy page on the website.

Often, services store your data for too long. For example, one popular European car-sharing company stores user data for as long as 10 years. In that time, you might change residence several times, quit driving, or simply forget about the car-sharing service — but your personal information will still be stored on the company’s servers. And since, according to the agreement, the company can transfer client data to third parties, then theoretically your ID-card selfie could end up in someone else’s hands without your knowledge. And this is not an example of a “bad” company, but a harsh reality: almost all organizations that request IDs during registration process your data under similar conditions. And that’s just the official side — we haven’t mentioned leaks…

Data transmission will be carried out according to the European security regulations, but this is not guaranteed

Data leaks from car-sharing companies are a classic issue: such companies have been subject to hacker attacks since their inception. Sometimes these leaks lead to absurd situations. In Russia, criminals registered fake accounts in car-sharing services using stolen passport photos, then booked expensive cars, violated traffic laws, and caused accidents. Where did they get the data? From leaks of customer data from other car-sharing companies!

And we shouldn’t forget the more obvious threat — unexpected loans. Of course, large banks are unlikely to issue a loan based solely on an ID selfie, but less accountable organizations that hand out microloans to practically anyone — sure thing. And if you suddenly find a dozen such loans in your name, it’s bad news. Not to mention the fact that another unreliable company now has your ID selfie.

These ID card selfies are a universal tool in the hands of criminals. In addition to the above scenarios, fraudsters can open a shell company in your name or register a SIM card using your identity to break the law in various ways. And the more services support remote online registration — the greater the risks of taking selfies with ID cards.

Criminals have long been selling sets of photos and videos of people holding white sheets of paper the size of standard documents on underground websites to forge photos and bypass standard KYC (Know Your Customer) procedures. And if they get hold of a real selfie with a passport — it’s a goldmine…

How to reduce the risks

Unfortunately, despite the significant risks, sometimes we may still have to take these photos. So the best we can do is approach the process with maximum care. How to protect yourself?

• Study the company’s privacy policy. Before sending your document selfies, find out everything you can about the company. Check where and by whom your data will be processed, how long it will be stored, and whether the company can pass customer information to law enforcement, third parties, or even to other countries.
• Investigate the company’s history of data leaks. Find out if there have been any customer data leaks. If there have, did they occur more than once? What kind of information was leaked? How did the company respond to the breach? You can find this out using search queries like Company_Name data leaks, or Company_Name data breaches.
• Add watermarks to your selfie. If you decide it’s worth the risk, add watermarks to the selfie with the name of the service you’re sending it to. This can be done easily on your smartphone using the built-in photo editor to overlay semi-transparent text, or by using free apps – there are plenty of them in any app store. This way, even if the photo leaks, it will be much harder for criminals to use it to register with another service.
• Send the photo through the official app or website of the service. Do not use messengers or email to send document selfies.
• Delete the selfie immediately after sending if your device lacks reliable protection. Don’t forget to remove the selfie from your messages (if possible) and from the Recently Deleted folder on your smartphone or the recycle bin on your computer.
• Regularly check your credit history. Check with your bank to find out how to be notified promptly of changes to your credit history.
• Use maximum protection for all your devices alerting you to identity theft and data leaks.
• Use Kaspersky Password Manager Identity Protection Wallet to store and share sensitive documents and photos encrypted across all your devices.
• Compare the value of the service being provided against the value of your ID card selfie. And absolutely never give out your personal data for monetary rewards.