Spam-based phishing attacks declined noticeably during the first half of the year according to IBM. However, it's not all good news,  cyber-criminals may simply be shifting to other technologies said IBM in its semi-annual security threat report .

"The decline in phishing and increases in other areas (such as banking Trojans) indicate the attackers may be moving their resources to other methods to obtain the gains that phishing once achieved," is the explanation offered in the IBM Internet Security Systems 2009 Mid-Year Trend & Risk Report. It says Russia is the top country of origin for phishing e-mails, with 7.2 percent share, while China is the top hosting country for spam URLs.

In the first half of 2009, 55 percent of the new malware seen was Trojans, an increase of 9 percent over last year, said the report. Trojan malware, which includes components called downloaders and info-stealers, are mainly being used in the form of "public-available toolkits" that are "easy to use" by criminals, the report points out.

Phishing attacks may be down because criminals "are likely getting better results with Trojans," said Dan Holden, X-Force product manager at IBM's ISS division. "It's a return on investment issue for them."

The big picture is that the web is a "dangerous place," Holden noted. Criminals are exploiting software vulnerabilities to compromise sites with malicious code or simply taking advantage of the openness of public social-networking forums to place malicious code to go after victims.

In a look at the Internet's websites in general, IBM believes that currently that about 8 percent of the Internet can be classified as "unwanted content, such as pornographic or criminal websites," which includes those for hacking, illegal drugs, malware, or selling counterfeit goods and the like.

The number of malicious web links used to trick users into downloading malware or visiting dangerous sites has increased, up 508 percent in the first half of 2009 in comparison to the number discovered in the first half of 2008, says the report. The U.S. is the top country where such malicious web links can be found, accounting for 36 percent of known malicious links, with China holding the second spot.

Malicious Web links are often embedded in web sites which are trusted by users as attackers take advantage of Web site vulnerabilities or simply placing malicious code in public web pages and forums they are allowed to use like anyone else. "Attackers are focusing more and more on using the good name of trusted Web sites to lessen the guard of end users," IBM noted.

When it comes to spam, the bulk of it today is still classified as URL spam in which a person clicks to view the spam content and China accounts for 41.4 percent of all spam URLs, according to the report.

One disturbing trend is that the amount of spam using "well-known and trusted domain names has continued to increase" as legitimate websites are exploited by those posting links from forums and other public comment areas associated with them. "Trusted domain names are often used as decoys," said Holden.

Research by IBM shows a sharp upturn in this kind of URL spam exploit taking advantage of popular and trusted domain names, with top targets include,, as well as health-information sites, and

In the report, IBM also drew attention to growth in the "anonymous proxy," defined as web proxies that "allow users to enter a URL on a web form instead of directly visiting the target website." IBM warns that if a web filter is not set up to monitor or block anonymous proxies then the activity that might otherwise be stopped will bypass the filter and allow the user to visit the disallowed web page. Today, there are more than twice as many anonymous proxies online there were 18 months ago, said IBM.

When it comes to software vulnerabilities and patching them, there's been an 8 percent decrease over the first half of 2008, with 3,240 reported vulnerabilities disclosed in the first half of the year by vendors and open-source communities managing a code base.

In ranking by numbers of vulnerabilities that have remained unpatched, open-source Joomla! earned the worst marks with 80 percent of its 40 vulnerability disclosures unpatched, according to IBM.

Joomla! was followed by Apple with 18 percent of 122 disclosed vulnerabilities unpatched. Microsoft came in at 17 percent of 100 disclosed vulnerabilities unpatched, open-source Drupal with 14 percent of 65 disclosures unpatched and Mozilla with 14 percent of 59 vulnerabilities unpatched.

Cisco, Novell, HP and Sun logged 14 percent or less in the percentage of reported disclosures left unpatched, according to the IBM report.