Get The Latest Insights

By John LaCour | December 17, 2021

In Q3, more than 75% of threats observed on the Dark Web were related to stolen credit card and debit card data, according to PhishLabs’ Quarterly Threat Trends & Intelligence Report. While there are significant volumes of malicious activity targeting industries on the Dark Web, the extensive nature of credit card fraud makes this threat type the most pervasive.

Every quarter, PhishLabs analyzes hundreds of thousands of attacks targeting enterprises and our clients. In this post, we analyze a sample set of client data reflective of the underground landscape to break down the most prevalent threats on the Dark Web. For purposes of this post, the Dark Web is defined as the part of the web that cannot be indexed, and generally requires some technical obstacles to access those sites.

Top Dark Web Threats

Of the threats targeting our clients, more than three quarters of all Dark Web threats observed in Q3 involved threat actors marketing compromised credit card credentials. This number dwarfed the sale of Corporate Credentials, which accounted for 12% of all Dark Web threats in our sample. Stolen Corporate Credentials are primarily composed of employee email addresses criminals are marketing to buyers on the black market.

Consumer Credentials, or marketplaces strictly selling access to customer accounts, contributed to 8.6% of observed threats. Fraud Tools and Cyber Risk represented 2.3% and 1.2% of threats, respectively.

Top Targeted Industries

In Q3 Telecommunications & ISPs were affected by almost 40% of threats catalogued on the Dark Web. Account data related to this industry is highly valued as it often gives threat actors access to a wealth of sensitive information including payment method data, login credentials, and highly sensitive PII.

The Staffing & Recruiting industry was impacted by 8% of Dark Web threats, making it third among other industries. This elevated ranking can likely be attributed to common increases in hiring activity in preparation for the new year.

Dating services ranked fifth among all Dark Web threats in Q3, experiencing 6.6% of cases. Dating services have seen a surge in activity due to the pandemic, and are targeted by threat actors trying to gain access to PII available via online dating apps. Attackers also compromise dating service accounts to launch romance scams.

Sites Where Data is Marketed

Stolen enterprise data is marketed and sold through a broad spectrum of general and specialized sites on the Dark Web. In Q3, Chat-Based Services proved to be most popular among threat actors, with more than half of threats observed marketed through these types of services rather than Dark Web forums.

Chat-Based Services include any service or technology that enables discreet, cross-platform text messaging in real time between account holders. Most of the activity through these services involved the exchange of leaked credit and debit card information, as it is easy for this kind of data to be quickly and anonymously shared via chat.

Often, threat actors will share free card data on these services as a way to establish credibility to customers. Below are two examples.

Account Credentials for sale on a Dark Web, Chat-Based Service
Account Credentials for sale on a Dark Web, Chat-Based Service

Forums experienced the second highest level of activity, accounting for 16.5% of Dark Web threats in our sample. Forums include a website or section of a website where visitors can interact based on topics of interest. Dark Web forums often include topics such as hacking, financial fraud, and credit card numbers.

Carding Marketplaces contributed to 16.1% of activity, coming in third among the group. These types of marketplaces specialize in the sale of account dump data and credit card data.

Threat actors heavily exploited card data and stolen credentials via Chat-Based Services on the Dark Web in Q3. The technical nature of Dark Web marketplaces is ideal for criminal activity and provides the anonymity needed to leak and sell stolen data. Phishlabs will continue to report on threat types and industries targeted as attacks on the Dark Web evolve.

To learn more, download our Quarterly Threat Trends & Intelligence Report (NOV).