Someone asked me how much spam comes from home PCs that are hijacked and turned into spam zombies, this is an email I sent in reply:
"There are differing reports on the exact figure. There is a good study about this from a University (which I tend to believe a bit more than press releases because the academic rigor and review is stronger) that has done extensive research into this area. I'm looking for the specific report, but I can't seem to find it right now. I'll keep looking.
In leiu of that report, there are many articles placing the figure between 33% and 80%. Here are some references for those numbers:
One thing to note, I've been researching "live" phishing sites and I've noticed a change. Previously, many phishing sites would compromise a webserver, put up the phish site and spam the fraudlent email from another system.
More recently, I've been finding phishing kits and sites that actually load the email address lists on the same server that is used for the phish -- effectively turning the webserver hosting the phishing site into the spam engine that sends the phishing emails as well.
I was trying to figure out why and it seems like the phishers are consolidating the phishing kits (often the phishers simply get these kits from other phishers and use them) so they are more of a "one stop phishing shop." They no longer need both the phishing webserver and a spam relay, the two are now the same. This also helps since if the phishing site gets taken down, they no longer need to send the spam phishing emails for that site -- the whole phishing operation becomes more automated -- if the phishing site goes down, so does the email spamming that phishing site.
Furthermore, phishers are also setting up many phishing webservers and using DNS redirects to point at the sites that are still live. This is more complex in taking the site down since you actually need to take down the DNS redirector. Because the DNS redirector can redirect the victims to any one of say ten phishing sites, if you take one phish site down, they just redirect the victims to another site that is still up. This is similar to how very high traffic websites load balance traffic (sort of), so essentially it's a form of redudancy for the phishing operation."
