In 2022, the proliferation of the exchange of compromised email account credentials on the dark web continued, with hackers particularly targeting data combinations that include credit cards and phone numbers.

This type of information is the most commonly involved in the online circulation of personal data, as seen from the latest CRIF Cyber Observatory, which aims to analyze the vulnerability of individuals and companies to cyber-attacks and to interpret the main trends affecting data exposed in open web and dark web environments. Specifically, the Observatory analyzes the type of information, the areas in which data traffic is concentrated and the most exposed countries, as well as offering some hints on how to mitigate cyber risk.

Phone numbers are often combined with other personal data (such as first name and last name, or passwords); in fact, last year, the increase in the combination of phone number with first name and last name was +4.4%. This combination is valuable because, in addition to allowing access to many platforms and apps, with the introduction of 2-factor authentication in security protocols, it is essential for unauthorized access to private profiles.

Also of concern is the highest increase compared with the previous year, +10.5%, relating to the combination of credit card numbers together with the cvv and expiry date. Obviously, hackers can use these credentials to steal money or carry out transactions on the open web and dark web.

Overall, the number of alerts sent in 2022 was more than 1.6 million. Most of these related to the dark web, where 1.5 million alerts were registered, compared to 106,000 alerts on the open web.

Although the total number of alerts decreased (in 2021, 1.8 million alerts were recorded on the dark web alone), the CRIF Cyber Observatory shows that the severity of alerts sent in 2022 increased compared to the previous period. In fact, alerts relating to the discovery of compromised accounts, phone numbers and tax codes increased.

In Italy, the share of alerts sent to users regarding data on the dark web reached 83.7%, while only 16.3% of users were sent alerts for data found on the open web.

“The latest edition of the CRIF Cyber Observatory confirms the significance of our data to fraudsters. In fact, the circulation of data in 2022 was much higher than in the past, so much so that the data found on the dark web tripled compared to the previous year. The reasons for this increase relate to the current geopolitical situation, which is seeing an intense activity not only on the "physical" battlefields but also on the virtual battlefield, the so-called "cyberwar”.

Consumers and businesses are increasingly targeted by cybercriminals, who launch attacks aimed at stealing data and creating damage, with serious financial and reputational consequences. Phishing or ransomware attacks are often carried out against people and small or large organizations.

So, what should we do to protect our data? Check the communications we receive every day before clicking, and be very careful before entering our data to access online services. Another option is to use data monitoring services, which provide better control over the exposure of our data on the web,” explained Beatrice Rubini, CRIF Executive Director.

Most vulnerable data

Of the different categories of data under attack, individual or corporate email addresses (1st), passwords (2nd) and phone numbers (3rd) are those that predominantly circulate on the dark web and are therefore most vulnerable. Compared to 2021, usernames dropped to fifth place, overtaken by phone numbers and first/last names (4th).

It is even more interesting to look at the main combinations of data detected: emails are very often associated with a password (90.5% of cases); similarly, passwords very often appear together with usernames (71.7%). With regard to credit card data, in addition to the card number, the cvv and expiry date are also very frequently present (98.1% of cases).

Source: CRIF Cyber Observatory

Purpose of use of most detected accounts

Through a qualitative analysis of the contexts in which data circulate, accounts were categorized according to their use.

Most of the accounts detected were for entertainment (37.2%), mainly online gaming and dating accounts. In addition, e-sports platforms require paid subscriptions, so account theft can lead to financial losses.

In second place was the theft of forum and website accounts (28.4% of accounts detected), up 23.6%.

Theft of social media accounts (25.7% of accounts detected) such as Facebook, Twitter, Instagram and LinkedIn, which can lead to attempted scams and identity theft with serious consequences for the victim, rose sharply (+125.8%).

Entertainment and streaming dropped compared to 2021, when the number of active accounts in these categories had increased as a result of the pandemic, attracting the interest of hackers.

 Source: CRIF Cyber Observatory

 Where is credit card data being stolen?

The ranking of continents most susceptible to the illicit exchange of credit card data sees North America in the lead, up 34%, followed by Europe, which overtook Asia, while South America overtook Africa. At the bottom of the ranking is Oceania. In particular, an increase in credit card theft can be seen in Europe and America.

Source: CRIF Cyber Observatory

 The ranking of countries most subject to data exchange of credit cards shows the United States, Russia, United Kingdom, Brazil and India ranked highest. The other countries ranked in the top 10 are Canada, France, Spain, Japan and China.

 Italy remains in the sights of hackers

Looking at the ranking of countries most subject to the theft of credit card credentials, Italy occupies 14th place in the world ranking. Moreover, looking at the ranking of the most detected emails on the dark web by provider location, the “.it” domain was the sixth most affected domain by online password theft.

The most affected population groups according to age were the over 60s (25.6%), 41-50 year olds (25.7%) and 51-60 year olds (25.4%). Men represented the majority of users sent alerts by CRIF services for the protection of personal data on the web (63.2%).

The geographical areas where people received the most alerts were the North (37.8% overall) and the Center (36%), but proportionately the inhabitants of the South and North East received the most alerts.

In particular, the regions in which more people received alerts were Lazio (21.1%), Lombardy (14%) and Campania (7.9%), but in proportionately the inhabitants of Sicily, Molise and Umbria received the most alerts.

Also, in Italy in 2022, the types of data most frequently collected on the open web, and therefore publicly accessible by anyone on the internet, were email addresses (46.7% of the data collected) and tax codes (34.5%) - albeit down on the total compared to 2021 - followed by phone numbers (11.5%), usernames (3.7%) and addresses (3.7%). The last 3 types grew in percentage terms compared to the previous year, especially phone numbers and addresses.

Source: CRIF Cyber Observatory

On the dark web, on the other hand, email credentials were more frequently detected in 2022; in second place were phone numbers, while in third place were tax codes: this valuable data could be used to try to commit scams, for example, through phishing or smishing.

“CRIF promotes several cyber educational initiatives, such as the game Cyberninja. With this educational project, CRIF aims to increase awareness about phishing among both young people and adults alike. The results achieved in just a few months show that young people can better recognize phishing attempts and more often reach the highest level in the game. Millennials and adults obtain an average score, while the over-64 age group is more vulnerable to phishing, obtaining lower scores," added Beatrice Rubini, CRIF Executive Director.