Harvesting data<\/h2>\n
Phishing sites are carefully disguised to look legitimate \u2014 sometimes the visual design, user interface, and even the domain name are almost indistinguishable from the real thing. To steal data, attackers typically employ HTML forms prompting users to enter their login credentials, payment card details, or other sensitive information.<\/p>\n
As soon as the user hits Sign In<\/em> or Pay<\/em>, the information is instantly dispatched to the cybercrooks. Some malicious campaigns don\u2019t harvest data directly through a phishing site but instead abuse legitimate services like Google Forms<\/a> to hide the final destination server.<\/p>\n A fake DHL website. The user is asked to enter the login and password for their real DHL account<\/p><\/div>\n The stolen data is typically transmitted in one of three ways \u2014 or a combination of them:<\/p>\n The range of data sought by cybercriminals is quite extensive.<\/p>\n According to our research, the vast majority (88.5%) of phishing attacks conducted from January through September 2025 targeted online account credentials, and 9.5% were attempts to obtain users\u2019 personal data, such as names, addresses, and dates. Finally, 2% of phishing attacks were focused on stealing bank card details.<\/p>\n Distribution of attacks by type of data being targeted, January\u2013September 2025<\/p><\/div>\n Not all stolen data is directly used by the attackers to transfer money to their own accounts. In fact, the data is seldom used instantly; more commonly, it finds its way onto the shadow market, reaching analysts and data brokers. A typical journey looks something like this.<\/p>\n Raw data sets are bundled into massive archives and offered in bulk on dark web forums. These dumps often contain junk or outdated information, which is why they\u2019re relatively cheap \u2014 starting at around US$50.<\/p>\n These archives are purchased by hackers who act as analysts. They categorize datasets and verify the validity of the data by checking if the login credentials work for the specified services, if they are reused on other sites, and if they match any data from past breaches. For targeted attacks, cybercriminals compile a digital dossier. It stores information gathered from both recent and older attacks \u2014 essentially a spreadsheet of data ready to be used in hacks.<\/p>\n The sorted datasets are offered for sale again, now at a higher price \u2014 and not only on the dark web but also on the more familiar Telegram.<\/p>\n An ad for a Telegram sale of social media account credentials<\/p><\/div>\n According to Kaspersky Digital Footprint Intelligence, account prices are driven by a large number of factors: account age, 2FA authentication, linked bank cards, and service userbase. It\u2019s no surprise that the most expensive and in-demand commodity on this market is access to bank accounts and crypto wallets.<\/p>\n![\"A](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/12\/12064623\/what-happens-to-data-after-phishing-1.png\")
<\/a>\n
What kind of data are phishers after?<\/h2>\n
\n
![\"Distribution](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/12\/12064707\/what-happens-to-data-after-phishing-2-EN.png\")
<\/a>What happens to the stolen data next?<\/h2>\n
1. Bulk sale of data<\/h4>\n
2. Data sorting and verification<\/h4>\n
3. Resale of verified data<\/h4>\n
![\"An](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/12\/12064742\/what-happens-to-data-after-phishing-3.png\")
<\/a>