The number of phishing attacks on the web reaches record levels between April and June this year, says MarkMonitor.
The US company, which tracks domain-name abuse, counted more than 150,000 phishing attacks for the second quarter of 2009, with an attack defined as a unique URL hosting a phishing site.
In a phishing attempt a cybercriminal creates a website that looks legitimate and fools people into divulging their sensitive personal or financial details.
MarkMonitor finds out about possible phishing sites from companies such as Yahoo and AOL, which forward suspicious-looking URLs that appear in emails, said Charlie Abrahams, vice president of MarkMonitor for Europe, the Middle East and Africa.
The company then manually checks those URLs to ensure they are indeed phishing sites and takes steps on behalf of their customers to get those sites shut down, either through contacting domain-name registrars or the ISPs hosting them.
IBM came to its conclusion by looking at phishing email as a percentage of spam, a much different measure than MarkMonitor. Phishing sites are mostly promoted through spam.
IBM found that for the first half of 2009, phishing emails were only 0.1 percent of spam, down from 0.5 percent in 2008. The company came to the conclusion that phishing is falling.
"The decline in phishing and increases in other areas (such as banking Trojans) indicate that attackers may be moving their resources to other methods to obtain the gains that phishing once achieved," IBM said in its report.
A report from Symantec that covered one month, August of this year, concluded that phishing attacks fell 45 percent over the previous month, although it's not clear from the report how that figure was calculated. In another statistic, Symantec noted that it saw 4 percent fewer phishing URLs compared to July.
MarkMonitor's Abrahams said his company counts the number of unique URLs. That has the potential to dramatically raise the number of what MarkMonitor classifies as attacks.
For example, criminals are often use a single hostname for a site, but the site is actually hosted on many servers in different locations and switch servers after a short period of time, a method known as fast flux.
So one bad website might be hosted in hundreds of places, each counted as an attack.
"There's lots of different measurements for phishing," Abrahams said. "We think the number of sites is what matters rather than the number of emails."
The Anti-Phishing Working Group (APWG), which is composed of private companies and other groups, tracks unique email campaigns. If the subject line in hundreds of emails is the same, that's counted as one campaign. As far as phishing sites, APWG counts the unique base URL of a particular site.
In its report for the last six months of 2008, APWG said the number of email campaigns peaked in October at 34,758. That data was compiled from reports submitted by consumers. But the figure fell to 23,187 by December.
Unique phishing sites increased from July through October 2008, hitting a high of 27,739. But that was still fewer than February 2008 or the massive spike in April 2007 of 55,643, according to APWG.