With a year’s worth of data in hand, an analysis of attacks illustrates common patterns and practices in the operation of phishing scams. Top Targets: eBay and Paypal: The eBay online auction site and its Paypal payment processing unit were the top target for phishing scams in 2005, comprising nearly 62 percent of all phishing URLs submitted to Netcraft. Many of these were “insta-spoofs” served from free sites or cracked machines, often via a botnet. While many of these scams are hosted on IP addresses, the filename often includes the name of the targeted brands or emulates aspects of their URLs. More than 13,000 confirmed phishing sites used URLs that included either “paypal” or “ebay,” usually as a subdirectory or filename. These domains included slight misspellings, substituting numbers for letters or using hyphenated phrases or third-level domains (paypal.mysite.com). Nearly 4,700 phishing URLs contained the string “webscr,” mimicking the genuine Paypal cgi script.