In Q4, Dark Web activity targeting Credit Unions reached its highest count in five consecutive quarters, according to Fortra’s PhishLabs. Attacks on Credit Unions jumped significantly during the second half of 2022, with threat actors advertising stolen card data from these institutions almost as frequently as National/Regional Banks.
Data tied to financial institutions is considered especially high value on the Dark Web, where card information or credentials to a compromised banking account can equal a quick profit. Compromised data associated with financial institutions accounted for more than 80% of the information advertised on Dark Web channels in Q4.
Every quarter, Fortra analyzes hundreds of thousands of attacks targeting enterprises and our clients. In this blog, we identify the most recent threats on the Dark Web and who they are targeting by analyzing a sample set of client data representative of the underground landscape. In this piece, the Dark Web is defined as the part of the web that cannot easily be indexed, and generally requires some technical obstacles to access.
Top Dark Web Threats
The circulation of stolen Credit and Debit Card data was the top Dark Web threat to organizations in Q4. Compromised card data was marketed 4.3% more than the previous quarter, representing nearly 70% of underground exchanges.
Fraud Tools, including guides, overlays, and phish kits made up just over 17% of share of threat volume, representing the second spot despite experiencing a decline in activity over Q3.
Corporate Credentials for Sale had a slight increase in activity on the Dark Web, contributing to 6.6% of threat volume. Consumer Credentials dropped to the fourth spot, after experiencing a 5.67% decline. Deposit Fraud made up 2.69%.
Top Targeted Industries
Banks and Credit Unions were targeted more than any other group in Q4, with Credit Unions subjected to nearly the same number of incidents as their larger banking counterparts. Banks have historically led all categories, despite fluctuations in abuse. In Q4, they maintained the top spot after being targeted 37.18% of the time.
Attacks targeting Credit Unions on the Dark Web increased in both count and share quarter over quarter in 2022. Volume peaked at 35% of total volume in Q4, after increasing more than 2% of share over Q3.
Other Financial Services and Cryptocurrency both experienced increased attacks in Q4, representing the third and eighth spot, respectively. Financial Institutions as a whole were overwhelmingly targeted compared to any other industry, making up more than 80% of activity.
Non-Financials were led by Computer Software, with Dark Web activity targeting the industry 4.3% of the time. Ecommerce followed closely behind, with 3.5% of attacks in Q4.
Other industries targeted in Q4:
- Telecom / ISPs 3.0%
- Social Media 2.5%
- Staffing & Recruiting 1.9%
Where Stolen Data is Marketed
In Q4, more than half of all information and services exchanged on the Dark Web took place within Carding Marketplaces. Carding Marketplaces specialize in the sale of card and account data. This demonstrates a more than 18% jump in activity over Q3, when activity was evenly distributed between Carding Marketplaces, Chat-Based Services, and Credential Marketplaces. The underground platforms where malicious behavior and exchanges take place change frequently as criminals seek to evade authorities. As a result, security teams should consistently monitor Dark Web activity for changes in behavior.
Chat-Based Services were used less in Q4, with 23% of activity taking place on those platforms. Activity tied to both Chat-Based Services and Credential Theft Marketplaces declined in Q4. Credential Theft Marketplaces were used 17.6% of the time.
Forums contributed to 11% of activity after a decrease of 3.2% in Q4. General Marketplaces and Paste Sites also experienced declines, making up 1.6% and 1.1% of total volume, respectively.
The Dark Web continues to house malicious activity including the exploitation of businesses and their stolen data. Identifying where threat actors are conducting exchanges and what type of data is compromised can be challenging, as criminals consistently modify behaviors and storefronts to avoid apprehension. Security teams should familiarize themselves with Dark Web spaces where compromised data may live, in order to limit the exposure of enterprise information.