Advertisement
Live broadcast

Tenacity of hands: more than 2 thousand vulnerabilities were found in the top 100 applications of ads and services

500 of them are critical — how fraudsters steal people's data from popular resources
0
Photo: IZVESTIA/Eduard Kornienko
Озвучить текст
Select important
On
Off

More than 2,000 vulnerabilities have been discovered in the top 100 popular applications. Users are increasingly becoming victims of hacking attempts on accounts in popular online services, from rental ads and car sales to job search platforms. Fraudsters most often hack into user accounts, pretending to be employees of companies with requests to change the password due to a suspicious operation. For more information, see the Izvestia article.

How Russians' data is leaking through gaps in applications

An analysis of the top 100 most downloaded applications in the segment of ads and online services showed an alarming picture: more than 2 thousand vulnerabilities were found in them, of which over 500 are classified as critical and highly dangerous. This was reported to Izvestia in AppSec.Sting. In general, experts estimate that about 70% of mobile applications contain serious security gaps that can be exploited by hackers to access users' personal data.

Breaches in internal data open up opportunities for hackers to launch massive phishing attacks, fake notifications, and offers to pay for non-existent services. As a result, instead of a house by the sea, the user risks being left without housing and without funds, the company noted.

Fraudsters often disguise themselves as support staff and, through social engineering, convince victims to change their password or undergo "verification." Due to the vulnerabilities of mobile applications, the user, without suspecting anything, may lose access to the account and even money, the company said.

The editors found people online who were faced with a similar problem. For example, a company that has been working in the field of music services for more than five years has lost access to its business account in one of these applications. In the spring of 2025, her profile was suddenly renamed, all ads were deleted, and when she tried to log in, her phone and email were no longer suitable. Instead of the cover band's services, flower sales ads appeared on the page, its representative told one of the forums.

Stolen Sea: Russians warned about fraud due to news of the largest data leak
Criminals create fake websites and lure users.

According to him, the scammers took advantage of a vulnerability in the system: email addresses were not completely masked and could be easily guessed. Knowing the address, the attackers contact the support service and gain access to someone else's account. The company still managed to restore the account, but just an hour later it was blocked by the application again, and attempts to withdraw money from the account or delete it to create a new one were unsuccessful.

Another user shared his story online: he lost access to his account on one of the trading platforms when he went on vacation. For four years, he ran a business in one of the applications, offering various services from auto-loading to lifting bulky cargo. The account contained dozens of paid services, hundreds of ads, more than 100 positive reviews, and a long-term customer base. The money in the internal account and the paid subscription remained unavailable. The user claims to have lost the main sales channel.

In general, these are far from all the schemes used by scammers. Their arsenal is constantly being updated with new techniques adapted to current events and audience behavior.

According to Fedor Chunizhekov, head of the Positive Technologies research group, one of the most common schemes remains messages allegedly from technical support of various services. The attackers warn of "suspicious activity" or "threat of blocking" the account and, under this pretext, ask you to send your username, password, photos of documents, or a one-time SMS code.

Another popular scheme is the offer to get a premium subscription or additional features in the app for free or at a very attractive price. The victim is sent a link to a fake website that mimics the interface of a real service. After entering the data, the scammers get full access to the account.

How users can save their data

In order to avoid becoming a victim of hacking or fraud, it is important to follow basic but extremely effective rules of digital hygiene. Do not follow links from suspicious messages, do not enter usernames and passwords on sites that are not sure of their authenticity, and do not succumb to overly generous offers or frightening notifications — these are the emotions that scammers play on, said Dmitry Galov, head of Kaspersky GReAT in Russia.

"An important component from the point of view of account protection is compliance with the password policy: it is necessary to use unique and complex combinations for each account, regularly change and securely store passwords, not in the form of screenshots or notes, but, for example, in special solutions — password managers," he said.

According to him, even the most reliable passwords will not provide one hundred percent protection, which is why today the most effective way remains multifactor authentication, which requires not only a password, but also additional confirmation, such as an SMS code or an authorization application.

— If the user has doubts whether his account has been compromised, you can look at the active sessions (if the service provides such an opportunity): if you see an unfamiliar device in the list that opens, it is better to end this session and change the password," he said.

The key to all doors: why Russian accounts are easily hacked
One third of Russians use only three passwords for all services.

Account protection is not only the user's responsibility. Companies are also required to take measures to secure their services and customer data. It is especially important to take into account that attackers often act through the human factor, that is, they deceive employees by playing on trust or ignorance, Fyodor Chunizhekov emphasized. Therefore, the first thing an organization should do is train its employees. They need to be regularly reminded about cyber threats, explained how to recognize them and what to do in case of suspicious activity.

— Companies can use special systems for technical protection. For example, EDR systems help protect work devices from malware. SIEM (security event management systems) and NTA (network traffic analysis) are needed to detect suspicious activity and quickly respond to incidents," he explained.

It is important to regularly check the infrastructure for vulnerabilities and eliminate them, the expert concluded.

Переведено сервисом «Яндекс Переводчик»

Live broadcast
Subscribe and get the news first
Menu
Advertisement
RSS

Copyright for the iz.ru portal content visualisation system, as well as for the source data, including texts, photos, audio and video materials, graphic images, other works and trademarks, belongs to "MIC Izvestia" LLC

Partial quotation is possible only with a hyperlink to en.iz.ru

The site is operated with the financial support of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation.

The advertiser is responsible for the content of any advertising materials posted on the portal.

The information resource uses recommendation technologies. More detailed

The news, analytics, forecasts and other materials presented on this website do not constitute an offer or recommendation to buy or sell any assets.

Registered by the Federal Service for Supervision of Communications, Information Technology and Mass Communications. Certificates of registration Certificate of registration: EL № FS 77 - 76208 dated July 8, 2019. , Certificate of registration: EL № FS 77 - 72003 dated December 26, 2017.

All rights reserved © «MIC «Izvestia» LLC, 2025