September 2022

CRIF Cyber Observatory - Analysis of cyber activities in the first half of 2022

The Cyber Observatory aims to analyze the vulnerability of people and companies to cyber-attacks and interpret the main trends concerning the data exchanged in Open Web and Dark Web environments, the type of information, the areas in which data traffic is concentrated and the most exposed countries.

In addition, the Cyber Observatory aims to highlight the risks to which individuals and businesses are exposed on a daily basis, evaluate the main trends and offer some ideas to face cyber risk.

The data are the result of an analysis and study activity carried out on the web environments where data are shared and exchanged. These are not only websites but groups, forums and specialized communities of the so-called "Dark Web". But what do we mean by the dark web and how does it work?  The Dark Web is a set of web environments that do not appear through normal Internet browsing activities and requires some specific browsers or targeted searches. Precisely because of its nature, it is exploited by hackers to exchange data, obtained through phishing activities or other types of attacks.

The cyber phenomenon and the most valuable data

In the first half of 2022, we saw an increase in compromised account credentials, in combination with other extremely valuable data for hackers.

The number of alerts sent on the dark web was over 780.000 in the first half of 2022 and grew by +44.1% compared to the second half of 2021.

The number of alerts sent on the open web was over 70,000 in the first half of 2022 and fell by -4.9% compared to the second half of 2021.

In total, more than 850,000 alerts were sent in the first half of 2022, mainly related to data found on the dark web.

In particular, the address has become a valuable personal data because it allows you to complete the victim's profile and geolocate it.

The address is often found along with other information (such as the victim's first and last name) and contact details (email or phone number).

For example, in the first half of 2022, the full postal address was found in combination with a phone number in 70% of cases, this exposes the victim to receive more credible fraudulent messages, such as those of fake couriers to notify the delivery of a package.

Often these smishing messages (SMS phishing) contain malicious links that cause the victim to click and provide additional data to fraudsters.

Which are the most vulnerable data on the web?

There are several categories of data that are subject to attack; however, we have observed that email addresses, passwords, telephone numbers, usernames and postal addresses mainly circulate on the dark web and are therefore most vulnerable.

Compared to the last semester, the postal address enters the top 5, the telephone number exceeds the username and the email address rises to the top of the ranking.  

Even more interesting is to observe the main combinations of data found: very often emails are associated with a password (88.1% of cases); as well as together with usernames, passwords appear very often (79.9%).

As far as personal data are concerned, the name and surname are often associated with the telephone number (52.2%) up by +251% compared to the second half of 2021, a valuable data for fraudsters, especially in the case of Smishing or SIM Swapping.

The phone number plays a fundamental role in these cases and, when also associated with the password (33.7%), the vulnerability of the victim increases.

With regard to credit card data, very frequently in addition to the card number there are also cvv and expiration date (95.9% of cases), with an increase of +8%.

Key data combination

II semester 2021

I semester 2022

change %

Email + Password

90,8%

88,1%

-3%

Phone number + password

81,6%

33,7%

-59%

Username + Password

86,6%

79,9%

-8%

Phone number + Name and Surname

14,8%

52,2%

+251%

Credit card + CVV e Expiry date

88,6%

95,9%

+8%

Data Source Provider: Cyber CRIF Observatory 

Most common stolen passwords on dark web

The analysis of the passwords detected makes us reflect on the vulnerability of the accounts with which they are associated. In the top 10 passwords in circulation in the first half of 2022 we found the following:

TOP 10 I semester 2022

1

123456

2

123456789

3

password

4

qwerty

5

12345

6

12345678

7

qwerty123

8

1q2w3e

9

111111

10

1234567890

Data Source Provider: Cyber CRIF Observatory

These passwords are in order to be the most popular and therefore most compromised on the dark web and can be hacked in an average time of less than a second. In first place in the top 10 is "123456", a password very common in dark web environments during the first half of 2022, on the podium with "123456789" and "password", followed by "qwerty".

In the first half of 2022 in the list of the most common passwords appear "iloveyou" and "secret". Other common passwords include simple words like "dragon," "princess," "football," and "sunshine," proper names like "daniel," "michael," and "charlie," names referencing games like "pokemon," characters like "superman," and easy-to-guess number combinations, or repetitions like "111111."

While using simple passwords might seem like a practical way to help users remember them, it also leads to a high security risk for users and their systems.

As you can see by scrolling through the ranking, the most frequently detected passwords on the dark web are very simple combinations of numbers and letters, so it is very easy for hackers to discover them. On the other hand, the use of these passwords reveals the lack of awareness of web users, who often ignore the most basic rules to protect themselves from intrusions.

Focus: The most common stolen passwords in Italy

Looking at the most common passwords found on the dark web, for Italy we find in the first places proper names such as "andrea", "francesco" and "alessandro", and names of football teams such as "juventus" and "napoli".

Misuse of the most detected accounts

Stolen credentials can be used for a variety of purposes, such as to break into victims' accounts, misuse services, send emails with requests for money or phishing links, send malware or ransomware, for the purpose of extorting or stealing money. Through a qualitative analysis of the contexts in which the data circulates, the accounts have been categorized according to the purpose of use.

Most of the accounts detected are related to email mailboxes (27.0%) followed by entertainment sites (21.0%), mainly  related to online gaming and dating accounts (online dating sites). In third place, the theft of forum accounts and websites of paid services (18.6%) and social media (13.9%) is highlighted. A fair part of the stolen accounts  can be ascribed to e-commerce platforms (12.3%), up by +132% compared to the previous semester.

The risk of theft of such accounts can have direct economic consequences for victims.

Most detected account

I semester 2022

Email accounts

27,0%

Entertainment

21,0%

Forum and website

18,6%

Social Media

13,9%

Ecommerce

12,3%

Other services

7,2%

Data Source Provider: Cyber CRIF Observatory

Users that have received alerts

The activities of hackers continue to have great relevance even in the first part of 2022. The data for the first half of 2022 of the Cyber CRIF Observatory confirm a number of Personal Solutions customers alerted on the dark web up by +44.1% compared to the previous semester.

Focusing on Italy, where over a third of users received at least one alert in the first half of 2022, there is in particular an increase in alerts sent regarding the theft of data monitored on the dark web. Users alerted to data collected on the dark web are 84.0% while only 16.0% of users have been alerted to data collected on the public web.

Type of data collected from Italian users

In the first half of 2022, the types of data most frequently collected on the open web, therefore publicly accessible by anyone on the web, were email (49.3% of the data collected) and the tax code (34.7%), followed remotely by telephone number (9.5%), username (3.2%) and address (3.1%).

Open web alert type

2022 1H

E-mail

49,3%

Fiscal code

34,7%

Phone number

9,5%

Username

3,2%

Postal address

3,1%

Data Source Provider: Cyber CRIF Observatory

Among the main websites on which personal data of consumers are found, there are electoral lists, professional registers, rankings, honors and lists of candidates admitted to public competitions. In these sources you can find various personal data in clear: the most frequent are name, surname, date of birth, place of birth, postal addresses, e-mail and tax code.

In the dark web, on the other hand, it was the email credentials that were most frequently detected in  the first half of 2022, secondly the phone number, while in third place is the email domain: these precious data could be used to try to carry out scams, for example through phishing or smishing.