The volume of unique phishing attacks hit an all-time high in January, while fraudsters broadened their reach to spoof Web sites they hadn't targeted before, such as social-networking and gambling sites, according to a group that tracks phishing fraud. The number of unique phishing e-mails hit 29,930, up 26% over December and surpassing the previous record of 28,571 reached last June, according to the Anti-Phishing Working Group. Each unique e-mail represents a blast that could contain hundreds of thousands of copies of the e-mail.

Meanwhile, the group discovered fraudsters in Brazil are using a toolkit created by Russian sources that enables the fraudsters to embed malicious code on users' computers when they visit spoofed Web sites. "This combination of the groups working together is relevant because previously we have not seen such collaboration," the APWG report for January, released this week, notes. "This toolkit is the most popular exploit kit on the Web today." Phishing attacks based on the toolkit, the report says, represent the largest volume of unique attacks the group sees from day to day.

While the number of legitimate brands appropriated by fraudsters in phishing attacks stayed fairly constant in January, at 135, the APWG found the criminals broadening the scope of the type of site they target to include social-networking portals and gambling sites. It also discovered more brokerage sites being spoofed. Overall, Internet service providers (ISPs) for the first time accounted for more hijacked brands (4.4%) than retailers (2.2%). As usual, the financial-services sector accounted for most attacks, at 88.9%.

Despite the spike in unique attacks, the number of unique Web sites used as part of phishing schemes dropped slightly in January, to 27,221, and remained well below the record high of 37,444 posted in October.

In phishing schemes, fraudsters use the logos, slogans, and other property of trusted consumer brands to dupe Internet users into visiting spoofed Web sites, where they are induced to give up passwords, PINs, account numbers, and other sensitive information.