In 2022, information security professionals from Group-IB reported blocking a total of 59,000 phishing sites across the globe. A significant share of these, about 7,000, were detected in the domains .ru and .рф, illustrating a sharp rise from the previous year. This surge underscores the scale of phishing operations that target everyday users and financial accounts, including in Russia where login credentials, banking card data, and messaging app accounts were commonly targeted. The year also saw a notable wave of phishing activity directed at Telegram users as attackers increasingly exploit popular messaging platforms to harvest sensitive information.
According to data provided to socialbites.ca by the Group-IB Information Security Incident Response Center, also known as CERT-GIB, the number of blocked resources grew substantially from 31,455 in 2021 to 59,282 in 2022. The report highlights that the .ru and .rf segments recorded a steep rise in fraudulent sites and the corresponding loopholes that allowed these deceptive pages to persist. In plain terms, the threat landscape expanded rapidly, with cybercriminals leveraging more aggressive methods to lure victims and steal credentials at a distance from the original targets.
Regionally, the analysis shows that the .ru and .рф territories accounted for a large portion of fraudulent sites, with 20,170 such resources identified in these areas. This marks a clear increase compared with 2021, when the count stood at 15,363. The growth indicates that threat actors continued to place a strong emphasis on exploiting regional domains that appear familiar to local users, often mimicking legitimate services to gain trust and trick users into revealing personal data.
From a broader perspective, the 2022 data reveals that the most frequently blocked domain category belonged to the .com space, which represented approximately one third of all blocked resources at 33.8 percent. Following this, the .ru domain captured about 5.3 percent, and the .org domain rounded out the top three with around 3.4 percent. These figures illustrate a diversified approach among attackers, who spread their phishing campaigns across multiple high-visibility top-level domains in order to maximize reach and potential victims. The distribution also reflects the ongoing competition among phishing operators to stay ahead of takedown efforts and domain suspensions by registrars and security researchers alike.
Earlier reporting indicated that cybersecurity experts observed a rise in fraudulent activity ahead of important dates in late February and early March, pointing to a seasonal aspect in phishing campaigns. This pattern aligns with the broader trend of attackers seizing opportunities created by public events, holidays, or regulatory changes to lure victims who may be more distracted or stressed by news cycles. The 2022 experience emphasizes the importance of constant vigilance, proactive monitoring, and rapid incident response to minimize the impact of such malicious schemes on individuals and organizations alike.