Speed is critical to the success of phishing operations, which typically migrate from one server to another in an effort to stay a step ahead of providers and police. One scam documented by the APWG operated a spoofed web page on seven different servers over a period of 12 days, including four in Korea, two at American ISPs, and one in Uruguay.

In each case, a web page mimicking a financial institution’s web site was housed on a compromised server. The “bait” emails were sent in HTML, and many used an image map to initiate the link, a strategy that makes the spoofed destination URL (an IP address) less obvious to the user. The sophistication of the effort, and the fact that it targeted two different financial institutions, “indicates the participation of at least one well-orchestrated, systematic criminal organization in the phishing world,” according to the APWG.

While that campaign used IP addresses rather than domains, other phishing attacks rapidly move domains between servers. The karl-marx.ru domain has been linked to separate scams in March (hosted in South Korea) and July (hosted at Affinity Interent) and has also been used to collect data stolen by malicious trojans. Research by APWG shows that about 8 percent of phishing scams tracked in June used a dedicated domain.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.