Phishing attacks going automatic, says industry group

Phishing occurs when a fraudster sends an e-mail that contains a link to a fraudulent web site where users are asked to provide personal account information. The e-mail and web site are usually disguised to appear to recipients as though they are from a trusted service provider, financial institution or on-line merchant.

Thousands upon thousands of messages are sent out relating to each phony web site – called "baiting" sites by the APWG. According to the industry group's latest Phishing Activity Trends Report, there were 6,597 new unique e-mail attacks in October alone and 1,142 unique baiting sites reported.

Most of these related to a small number of brand names – 44 in October, with 80% of the attacks relating to only six brands (which have not been named). The report identified financial services as the sector with the most unique baiting sites (73%) while ISPs were in second place at 14%.

The number of phishing sites increased massively from 5th October, according to the report, which it suggests could be down to the availability of toolkits (see The Register's coverage of DIY phishing kits) or that automation may be involved.

The report also notes that the number of phishing sites being hosted on compromised PCs with broadband connections has risen to over 50%. These are often known as zombie PCs or bot networks. Poorly protected PCs are vulnerable to such exploitation by hackers.