While the number of phishing scam Web sites stayed relatively flat in June, the most malicious form of Internet ID thievery has doubled in just three months, said the Anti-Phishing Working Group (APWG) Wednesday.

According to the APWG, a collection of over 1,700 companies, banks, ISPs, and government agencies, the social-engineered scams typical of phishing -- where users receive e-mails enticing them to a site, then tricked into entering confidential personal data, such as online bank or credit card account passwords -- are being replaced by more dangerous, and less directly deceptive, technologies like keyloggers and site redirectors.

"The trend of phishing with [e-mail] bait and a Web site is not going away," said Dan Hubbard, the senior director of security and technology research at Websense, a company which helps the APWG analyze its data. "But new and more sophisticated means are growing at a much faster pace."

Since April, for instance, the number of phishing-related Trojans that plant a keylogger to silently monitor and record access to online bank accounts has doubled, from just 77 in April to 154 in June, the most recent month for which there is data.

The number of Web sites hosting malicious code meant to steal identities also doubled in the period, from 260 in April to 526 in June.

Keyloggers aren't the only malware that the APWG has spotted in increasing numbers. Also on the upswing are redirectors, which range from Trojans that reset the Windows HOSTS file to bits of code that exploit browser vulnerabilities to send users to spoofed sites rather than the real thing.

"These are somewhat more dangerous forms of phishing in that all the user education that people have been pushing may not apply to these forms of attacks," said Hubbard. "Just when people are used to making sure they see an SSL logo on a site to show it's encrypted, or to type the address of a site in themselves instead of following a link in an e-mail, this comes along."

The June APWG report called the technological step-up "manifestly more potent than pure social engineering schemes."

"It's all part of the cat and mouse games between phishers and users," said Hubbard. "Phishing is evolving past some of the countermeasures that have been successful against the old attacks. That's why it's important to bring awareness about these new kinds of attacks."

The APWG is so concerned about the increase in the keylogger- and redirector-based scams that it's begun something called "Project: Crimeware," a program of collaborative research for capturing sample scams, then recording and characterizing them to include in the group's monthly reports.

"Crimeware expands the number of institutions that can be targeted in a single campaign and removes the necessity of directly deceiving the consumer," said Peter Cassidy, the secretary-general of the APWG, in a statement issued Wednesday. "Instead of spoofing one brand, the phishers are planting keyloggers that can intercept theoretically the username and password of customers of any number of institutions," Cassidy continued.

Hubbard pointed out an example: a Trojan horse identified by Panda Software as Bancos.nl, which watches for and records usernames and passwords for literally thousands of banks and other financial institutions' Web sites.

"Most Trojans target three to five brands, but some, like Bancos aim at a huge number," said Hubbard.

And the trend toward such silent ID harvesting, added Hubbard, will get worse before it gets better.

"The increase in July's numbers are even more dramatic," he said.