Get The Latest Insights

By John LaCour | March 17, 2022

In Q4, Carding Marketplaces experienced a dramatic increase in activity, representing 32.9% of criminal exchanges on the Dark Web and signaling a shift away from web forums. While sensitive information is advertised through a variety of methods on the Dark Web, the majority of leaked data can be found on sites that specialize in the exchange of card information quickly and anonymously, via chat.

Every quarter, PhishLabs analyzes hundreds of thousands of attacks targeting enterprises and our clients. Below, we analyze a sample set of client data reflective of the underground landscape to identify the most prevalent threats on the Dark Web and who they are targeting. In this piece, the Dark Web is defined as the part of the web that cannot easily be indexed, and generally requires some technical obstacles to access.

Top Dark Web Threats

In Q4, nearly 73% of all Dark Web threats experienced by PhishLabs clients involved the marketing or sale of compromised Credit and Debit Card Data. The sale of Corporate Credentials represented the second most encountered threat, contributing to 16% of all Dark Web threats. Corporate Credentials sold via the Dark Web represented the largest quarter-over-quarter increase in share among all threats in Q4.

The sale of Consumer Credentials represented the third position, contributing to 7.3% of all Dark Web threats after experiencing a 1.3% decrease in share. Fraud Tools and Deposit Fraud represented 2.6% and 0.5% of the most common threats advertised to black market buyers.

Top Targeted Industries

In Q4, Financial Institutions including Banking, Credit Unions, and Other Financial Services combined to represent 82.7% of all Dark Web activity. The Financial Industry is highly-targeted by threat actors who rely on critical attack components such as PII, login credentials, card data, and other sensitive information to execute campaigns.

Banking Services were the top targeted industry on the Dark Web, experiencing almost half of all attacks in Q4. This is despite a nearly 8% decrease in share in activity. Alternatively, Credit Unions experienced the greatest increase in share (4.9%) for the quarter and represented the second most targeted industry.

Telecom & ISP Services were targeted on the Dark Web 7.5% of the time, representing the third most targeted industry and experiencing a slight increase in share from Q3.

Other Industries targeted in Q4 include Staffing & Recruiting (2.9%), Dating (2.1%), and Computer Software (1.5%).

Top Dark Web Sites Where Data is Marketed

Stolen data is advertised via a wide variety of sites and marketplaces on the Dark Web. In Q4, more than 70% of these advertisements were detected on Chat-Based Services or Carding Marketplaces. The majority of malicious activity took place on Chat-Based Services (37.4%) despite a decrease in share of more than 18% from Q3. Chat-Based Services include any space where anonymous messaging can occur in real time between account holders.

Carding Marketplaces accounted for 32.9% of activity after an increase in share of 16.7% in Q4. Carding Marketplaces are popular with threat actors and buyers because they enable actors to exchange account dump data and card data quickly, and incognito.

Other sites where data was marketed in Q4 include Dark Web Forums (18.3%), which moved to the third position, Credential Marketplaces (7.8%), and Paste Sites (2.5%).

In Q4, based on a sample set of client data, stolen card data was heavily advertised in Dark Web spaces that specialize in the anonymous sale of account data. Identifying what types of malicious activity are taking place on the Dark Web and where they are being sold to black market buyers is critical to help organizations in the detection of stolen or compromised data. PhishLabs will continue to report on Dark Web threat types and industries targeted as these attacks evolve.

To learn more, access our Quarterly Threat Trends & Intelligence Report (FEB).