Sometimes even the targets of phising attacks have difficulty sorting out whether an e-mail or web site is bogus. In other instances, spoof sites remain online long after they are identified as criminal scams.

Both scenarios are found in a story related by an e-mail security researcher, who submitted an obviously fraudulent phishing site to eBay, only to have the auction company's staff e-mail back to insist that the site was legitimate and that the "bait" e-mail was sent by eBay.

The scam site, ebaychristmas.net, was blocked on Nov. 25 by the Netcraft Toolbar community. This particular fraud site illustrates the difficulty of relying upon web hosting services to protect Internet users by taking a site offline.

The domain has been hosted at five different locations since Nov. 30, including several broadband providers, suggesting it may be part of a botnet. Phishing sites hosted on botnets are difficult to shut down, as they can be quickly moved from one hacked computer to another. Botnet-based phishing operations often maintain their own DNS servers which are also shifted frequently to provide a moving target.

This demonstrates the value of the Netcraft toolbar, which protects users as they surf the Internet, blocking access to confirmed phishing sites, even if they remain online.

Netcraft received well over 8,000 reports of phishing sites during November. Each submission is reviewed by a staff member and classified, with confirmed phishing sites added to the list of sites being blocked by the Netcraft toolbar. Each confirmed report is used as a ticket in a monthly draw for a top of the range IPod.