Most phishing attempts come from about 1000 compromised "zombie" computers owned by broadband customers, and the phishing attacks are likely generated by less than five phishing operations, according to a survey by CipherTrust.
The e-mail security company, in a survey this month of more than 4 million pieces of e-mail, found that nearly all of the attacks came from about 1000 machines, mostly customers of DSL or cable modem services.
The number of compromised machines remained fairly static during the two-week survey, suggesting that a limited number of groups were looking for exploited machines to send out phishing-scam e-mail, said Dmitri Alperovitch, a research engineer with CipherTrust.
The survey illustrates the importance of home computer users taking steps to protect their computers, Alperovitch said. "All of the machines have been exploited in some way or another," he added. "Improving security at DSL or cable customers' homes can certainly solve the problem."
Close to 28 percent of the IP addresses used in the phishing attacks during the two-week survey were from U.S. computers. Another 17 percent of the IP addresses were South Korean, and another 8 percent were Chinese.
About 0.35 percent of the more than 4 million e-mail messages CipherTrust examined were phishing solicitations. Scammers using phishing tactics typically send out e-mail targeting users of financial institutions or other e-commerce sites. The bogus e-mail message often tells recipients there's a problem with their accounts, and that they need to re-enter their bank account or credit card number at a Web site designed to look like the legitimate e-commerce site.
Most of the compromised computers sending phishing e-mail also sent other spam, and much of the e-mail coming from those compromised machines was similar across nearly all of the computers. That leads CipherTrust to believe that all of the phishing attacks during the two-week survey came from two or three phishing operations, Alperovitch said. During a typical day during the survey, about 200 distinct phishing attacks were sent out, compared to hundreds of thousands of spam attacks.
"That tells me there is a very limited number of people involved in this," he added. "There has to be one person crafting this, unless they're sharing a brain or something."
CipherTrust has shared the results of its phishing survey with law enforcement officials, the company said.
During the survey, more than 54 percent of the phishing attempts used e-mail faked to look like it came from CitiBank. Another 13 percent of the attacks targeted customers of Smith Barney, also a division of Citigroup Global Markets, while 10 percent targeted SunTrust Banks, and nearly 8 percent targeted PayPal, owned by eBay. Targets of phishing attacks change over time, CipherTrust noted.