Wow, lots of meat in that report
for us to chew on. I haven't finished reading, but the summary is promising already:
1. The Avalanche phishing gang was responsible for two-thirds of all phishing attacks launched in 2H2009. (Page 5) Avalanche successfully targeted vulnerable or non-responsive domain name registrars and registries. However, Avalanche changed its activities significantly in November 2009, and as of this writing has a different modus operandi and greatly reduced scale. (Page 9)
2. In 2H2009, the average uptime of all phishing attacks continued to drop from previous periods. (Page 11) Some of this improvement is due to the attention that Avalanche phishing received from the response community. The average uptime for Avalanche domains was less than half of that for non-Avalanche domains. Unfortunately, non-Avalanche phish stayed up noticeably longer in 2H2009 than they did in 1H2009.
3. The amount of Internet domain names and numbers used for phishing has remained fairly steady over the past two-and-one-half years, a period in which the number of registered domain names in the world has grown. (Page 15)
4. The great majority of phishing continued to be concentrated in certain namespaces -- just five top-level domains (TLDs). (Page 15)
5. Phishers are not leveraging the unique characteristics of internationalized domain names (IDNs), and there are factors that may perpetuate this trend in the future. (Page 19)
6. Phishers continue to use subdomain services to host and manage phishing sites. Phishers use such services as often as they register domain names. This activity shows phishers using services that cannot be taken down by domain registrars or registry operators, in the hopes of extending uptimes of attacks. (Page 20)
"Subdomain services" would be the "Hosters" that Red keeps on top of.