One of the defining characteristics of a takedown provider is its ability to detect phishing sites. Through various approaches, takedown vendors have defined their strategies for detection of malicious emails - either building up their own spam traps, pulling data from third-parties like the Anti-Phishing Working Group, partnering with mail service providers, or even acquiring other organizations. While these approaches are often successful, in that they detect a significant number of phishing attacks, they are still incomplete, and often are missing a non-negligible amount of phish.
Recently, there has been a spike in fast-flux, high-volume phishing activity. Previously, this was known as "Rock Phish" activity; however that can be considered version 1.0 - domains, hosted on a botnet, targeting multiple financial brands and their customers via phishing sites. Version 2.0 - known as Avalanche or ZBOT - is particularly troubling as they have evolved to include a malware payload, and broadened their target base by including social networking sites, government agencies, and even spoofing the email recipient's domain. While complete fraud-loss and malware infection rates are difficult to come by, Damballa research found that the Zeus Trojan - the malware payload included in the Avalanche attacks - has infected 3.6 million systems in the U.S. alone.