In the first half of 2022, we saw an increase in compromised account credentials, in combination with other extremely valuable data for hackers.

The number of alerts sent on the dark web was over 780.000 in the first half of 2022 and grew by +44.1% compared to the second half of 2021.

The number of alerts sent on the open web was over 70,000 in the first half of 2022 and fell by -4.9% compared to the second half of 2021.

In total, more than 850,000 alerts were sent in the first half of 2022, mainly related to data found on the dark web.

In particular, the address has become a valuable personal data because it allows you to complete the victim's profile and geolocate it.

The address is often found along with other information (such as the victim's first and last name) and contact details (email or phone number).

For example, in the first half of 2022, the full postal address was found in combination with a phone number in 70% of cases, this exposes the victim to receive more credible fraudulent messages, such as those of fake couriers to notify the delivery of a package.

Often these smishing messages (SMS phishing) contain malicious links that cause the victim to click and provide additional data to fraudsters.

Which are the most vulnerable data on the web?

There are several categories of data that are subject to attack; however, we have observed that email addresses, passwords, telephone numbers, usernames and postal addresses mainly circulate on the dark web and are therefore most vulnerable.

Compared to the last semester, the postal address enters the top 5, the telephone number exceeds the username and the email address rises to the top of the ranking.

 Data Source Provider: Cyber CRIF Observatory

Even more interesting is to observe the main combinations of data found: very often emails are associated with a password (88.1% of cases); as well as together with usernames, passwords appear very often (79.9%).

As far as personal data are concerned, the name and surname are often associated with the telephone number (52.2%) up by +251% compared to the second half of 2021, a valuable data for fraudsters, especially in the case of Smishing or SIM Swapping.

The phone number plays a fundamental role in these cases and, when also associated with the password (33.7%), the vulnerability of the victim increases.

With regard to credit card data, very frequently in addition to the card number there are also cvv and expiration date (95.9% of cases), with an increase of +8%.

Data Source Provider: Cyber CRIF Observatory

 Data Source Provider: Cyber CRIF Observatory

Most frequently circulating accounts on the Dark Web

 Amongst the most frequently circulating accounts on the dark web, the names of email services, dating sites, social networks and online games have emerged.  

Data Source Provider: Cyber CRIF Observatory

Most common stolen passwords on dark web

 The analysis of the passwords detected makes us reflect on the vulnerability of the accounts with which they are associated. In the top 10 passwords in circulation in the first half of 2022 we found the following:

Data Source Provider: Cyber CRIF Observatory

These passwords are in order to be the most popular and therefore most compromised on the dark web and can be hacked in an average time of less than a second. In first place in the top 10 is "123456", a password very common in dark web environments during the first half of 2022, on the podium with "123456789" and "password", followed by "qwerty".

In the first half of 2022 in the list of the most common passwords appear "iloveyou" and "secret". Other common passwords include simple words like "dragon," "princess," "football," and "sunshine," proper names like "daniel," "michael," and "charlie," names referencing games like "pokemon," characters like "superman," and easy-to-guess number combinations, or repetitions like "111111."

While using simple passwords might seem like a practical way to help users remember them, it also leads to a high security risk for users and their systems.

As you can see by scrolling through the ranking, the most frequently detected passwords on the dark web are very simple combinations of numbers and letters, so it is very easy for hackers to discover them. On the other hand, the use of these passwords reveals the lack of awareness of web users, who often ignore the most basic rules to protect themselves from intrusions.

Ranking of the most detected email by domains and countries mostly hit by the phenomenon

 The ranking of the most detected emails on the dark web, with regards to the composition of the domains, allows us to locate the email provider, with the exception of the ".com" and ".net", commonly used worldwide.  The domain .com, in addition to being global, is also the most used in the USA. It can therefore be deduced that the countries most affected by the phenomenon of online email and password theft are US, Russia, Germany and France, followed by United Kingdom, which is just ahead of Italy. The other countries that complete the top 10 of the domains most affected in online password theft are Poland, Japan, Brazil, the Czech Republic which enters the ranking of the most affected countries surpassing Canada.

The .edu domain, widespread among schools, colleges and universities, also circulates widely on the dark web; this means that numerous email addresses of students and professors are exposed to cyber risk.  Even the .org domain, noteworthy as it refers to non-profit organizations and institutions, gains positions from 19 to 13th position.

The table below shows the ranking of the most detected domains and the most affected countries:

 Data Source Provider: Cyber CRIF Observatory

Misuse of the most detected accounts

Stolen credentials can be used for a variety of purposes, such as to break into victims' accounts, misuse services, send emails with requests for money or phishing links, send malware or ransomware, for the purpose of extorting or stealing money. Through a qualitative analysis of the contexts in which the data circulates, the accounts have been categorized according to the purpose of use.

Most of the accounts detected are related to email mailboxes (27.0%) followed by entertainment sites (21.0%), mainly  related to online gaming and dating accounts (online dating sites). In third place, the theft of forum accounts and websites of paid services (18.6%) and social media (13.9%) is highlighted. A fair part of the stolen accounts  can be ascribed to e-commerce platforms (12.3%), up by +132% compared to the previous semester.

The risk of theft of such accounts can have direct economic consequences for victims.

Data Source Provider: Cyber CRIF Observatory

 Where is more credit card data obtained?

The ranking of the continents most subject to illicit credit card data exchange is lead by North America, followed by Asia which surpasses Europe, while Africa surpasses South America. At the bottom of the ranking we find Oceania, with a significant % growth compared to the previous period.

Data Source Provider: Cyber CRIF Observatory

 The ranking of the countries most subject to credit card data exchange sees the United States, Russia, the United Kingdom, Brazil and Canada in the lead. In particular, Russia raised 9 positions compared to the second half of 2021.

Even more evident is Ukraine position, previously ranked 92° while entering now amongst the the top 20.

The ranking includes:

Data Source Provider: Cyber CRIF Observatory

Focus: Top 3 countries by continent

 Below are the rankings of the countries most subject to credit card data exchange for each continent:

 Data Source Provider: Cyber CRIF Observatory

About CRIF Cyber Observatory

The Cyber Observatory aims to analyze the vulnerability of people and companies to cyber-attacks and interpret the main trends concerning the data exchanged in Open Web and Dark Web environments, the type of information, the areas in which data traffic is concentrated and the most exposed countries.

In addition, the Cyber Observatory aims to highlight the risks to which individuals and businesses are exposed on a daily basis, evaluate the main trends and offer some ideas to face cyber risk.

The data are the result of an analysis and study activity carried out on the web environments where data are shared and exchanged. These are not only websites but groups, forums and specialized communities of the so-called "Dark Web". But what do we mean by the dark web and how does it work?  The Dark Web is a set of web environments that do not appear through normal Internet browsing activities and requires some specific browsers or targeted searches. Precisely because of its nature, it is exploited by hackers to exchange data, obtained through phishing activities or other types of attacks.