The number of phishing attacks spammed to computer users fell for the second straight month, the Anti-Phishing Working Group (APWG) said last week as it reported on August's scams.
According to the APWG, a collection of over 1,900 companies, banks, ISPs, and government agencies, 13,776 unique phishing attacks were recorded during August, down about 3 percent from July's 14,135. The high tide for phishing attacks was June, which saw 15,050.
But although the number of attacks declined slightly, the number of phishing Web sites actually increased by 15 percent in August over July. APWG tracked 5,259 scam sites in August, up from 4,564 the month before.
"This may reflect an increasing tendency for phishers to target a diverse group of smaller brands, and also an increased use of multiple sites to host a single attack, in order to increase their resiliency to takedown efforts," the APWG wrote in the report.
The slip in phishing attacks may be tied to the continuing trend of some phishers shifting to more sophisticated tactics, specifically loading up malicious sites with keylogger-installing Trojans that exploit vulnerabilities in Internet Explorer.
That trend, which APWG and other experts on phishing scams have remarked on during the second half of 2005, contributed to an increase in the number of sites hosting password-stealing code. In August, the APWG found 958 such sites, a 4 percent increase over July's 918.
Since April, the number of malicious sites hosting keyloggers has jumped by 368 percent.
The U.S. still leads the world as the host of more phishing sites than any other country, the APWG reported, and accounted for nearly 28 percent of all scam URLs. As with spam, China and South Korea came in number two and three, respectively.
Financial services firms remain the top target, with 84.5 percent of the scams aimed at banks, brokers, credit unions, and online payment companies.
The APWG's August report can be downloaded in PDF format from the group's site.