Tim Bray equates phishing websites to crooks in plain sight which makes no sense and asks what he is missing.  Well, Tim.  They are not crooks in plain sight but stolen getaway cars.  Those websites are either zombies*, parasites*, or simply setup with stolen credit cards by crooks.

Phishers populate phishing websites with pages that mimic financial websites and a CGI that forwards submitted passwords and credit card numbers to a public channel such as newsgroups where crooks can recover the goods without leaving traces pointing back to them.  To prevent others from stealing the goods in transit, they either encrypt them or hide them inside multimedia files.

Fortunately, there are no efficient market infrastructures for stolen authentication devices yet.  So phishing currently impacts customer support most severely with each phishing attack generating high number of calls and emails for the targeted financial service.  But spear phishing** is expected to change that in the near future.

If you are interested in anti-phishing technologies, take a look at PassMark Security which offers a simple yet elegant solution.

Disclaimer: PassMark is a client of mine.

* I prefer to differentiate zombies from parasites by defining zombies as compromised home computers with broadband connection and parasites as hidden webapps running inside compromised public websites.

** Spear phishing is where, instead of targetting millions with generic attacks, phishers target just a handful of rich individuals with designer attacks based on target-specific information.