By Jessica Ellis | September 8, 2022
Nearly half of stolen data on the Dark Web was marketed through Chat-Based Services in Q2 after a sharp increase in illegal transactions, according to the Agari and PhishLabs Quarterly Threat Trends & Intelligence Report.
The advertisement and exchange of stolen information on the Dark Web is volatile due to the constant threat of disruption or seizure by authorities. Often, when one site is removed, another emerges in its place to satisfy the demands within the Dark Web community. Because of this, the marketing and sharing methods of purloined data is constantly being modified.
Every quarter, PhishLabs analyzes hundreds of thousands of attacks targeting enterprises and our clients. In this blog, we analyze a sample set of client data representative of the underground landscape to identify the most recent threats on the Dark Web and who they are targeting. In this piece, the Dark Web is defined as the part of the web that cannot easily be indexed, and generally requires some technical obstacles to access.
Top Dark Web Threats
Credit and Debit Card Fraud accounted for nearly 70% of Dark Web incidents in Q2 after increasing 13.6%. Stolen card data is consistently the most marketed threat on the Dark Web. Corporate Credentials for Sale (Personally Identifiable Information) was the second most common Dark Web threat in Q2, accounting for 13.1% of share. This is despite a 13% decrease. The sale of Consumer Credentials was almost identical in share, after a 1% increase over Q1. Fraud Tools designed to compromise corporate networks contributed to 5% of share of Dark Web volume.
Top Targeted Industries
Financial Institutions were targeted the most in Q2, with nearly 79% of all Dark Web threats targeting Banks, Credit Unions, Other Financial Services, and Payment services. This is up from 73% in Q1. National and Regional Banks were the top abused industry, experiencing 40.1% of Dark Web attacks. Credit Unions were targeted nearly 10% more in Q2, and represented 30.3% of share of abuse. This is the greatest volume of attacks Credit Unions have endured in four quarters, suggesting that while threat actors continue to target large banking institutions, they are also pivoting to prey more often on smaller banks and credit unions with hopes that they lack the necessary funding and staff to maintain tight security parameters. Financial Services represented 6.8% of Dark Web abuse and were the only industry to experience a decline in share.
Telecom & ISPs were the third most targeted industry in Q2, contributing to 8.0% of abuse. Computer Software was targeted 3.1% in Q2, after a 1.5% increase in attacks. Staffing & Recruiting (2.1%), Dating (2.0%), and Retail (1.2%) all experienced declines in activity.
Where Stolen Data is Marketed
In Q2, more than 45% of share of stolen data was exchanged and sold on Chat-Based Services. This is a 24.1% increase over Q1 and the first increase for Chat-Based activity since Q3 2021. Carding Marketplaces dropped to the second most active group of services, decreasing nearly 14% over Q1. Carding Marketplaces specialize in the sale of account and card data.
Forums contributed to 18.7% of Dark Web exchanges, decreasing nearly 9% over Q1. Forums are often used to engage in unethical activity such as the exchange of hacking information, fraud tactics, and more. Stolen account-based data marketed on Credential Marketplaces increased 1.1% in Q2, making up 13.3% of share of Dark Web activity.
Dark Web activity continues to heavily target Financial Institutions large and small, and the card data associated with those industries. Quarter over quarter however, the marketing of unauthorized data jumps from platform to platform, as bustling sites attract unwanted attention and risk shutdown by government officials. Understanding where information is being exchanged on the Dark Web is critical to detecting data that may be compromised. PhishLabs continuously monitors and reports on Dark Web activity and the industries targeted.
To learn more, download the Agari & PhishLabs Quarterly Threat Trends & Intelligence Report (AUG).