Security → Reduction in Phishing Scams for the month of December 2010

They're probably only gathering their strength and resources for the big January push, when all the marks are flush with Christmas-return cash.

A part of that anomaly can be attributed to a DIICOT investigation of VoIP abuse in Constanta that became public with arrests on Dec 14 2010
Briefly, the group in part consisted of actors who are full time phishers that were moonlighting for extra $ by identifying vulnerable phone systems. The matchup was perfect as the skills/routines used in phishing mirror those used to identify vulnerable phone systems.
As the investigation neared it's arrest date these actors became of aware of it, forcing them to lay low, way low.
I'm aware of one Romanian phisher that identified ~45,000 vulnerable phone systems in a 3 month period this year.
For the phisher, monetizing this data took two forms, selling the weak system data for a rumored ~$1.00 each or using the data to place premium calls that had themselves or an accomplice as the beneficiary explaining why it was embraced so quickly & thoroughly by some in the phishing industry.
A look at this site owned by one of the ringleaders Cristian Catalin Zlate Ciuvica helps explains how the business end of the transaction worked.
"International Premium Rate Numbers are based on a Pay per Minute system, where the content provider can decide the amount to charge the customer by making him hold the line for a defined period of time."
»shadowcommunications.co.uk/

To a degree it also had what could be call a 'chilling effect' on the daily routine of phishers not directly involved in this scam which might explain another reason for the slump.

"Dozens of searches in Constanta and in 6 counties in case of a 11 million euro fraud
»translate.google.com/tra ··· -de-euro

From the way I see it, it appears like a rather large spam Bot-net was taken down.

Before this slow down occurred , their where a very large volume of compromised sites being reported. Many where dedicated servers that controlled thousands of domain names being used for phishing scams ,under the same A name.

Botnets Barely Stirring this Christmas Season
Shane McGlaun (Blog) - December 22, 2010 1:02 PM
McAfee's Sam Masiello said botnet traffic appears to have dropped over the last six weeks. This has some to do with the major botnets that have been put out of commission this year. McAfee reports that the botnet traffic it is seeing comes from the Cutwail and Rustock botnets which are said to be two of the largest spamming botnets online today.
»www.dailytech.com/Botnet ··· 0462.htm

To be sure, there were a number of takedown operations targeting botnet operators during the year. Law enforcement in Armenia, for example, arrested a man in October on charges of running a botnet of PCs infected with Bredolab, a notorious Trojan downloader. In November, federal authorities picked up a man in Las Vegas linked to the Mega-D botnet.
»www.eweek.com/c/a/Securi ··· -566115/

Sure, anything is possible but that analysis concludes with phishers not phishing for a lack of available servers.
I'd be more than leery hanging my hat on that conclusion, especially as a driving force behind the lull.

Example of what I am saying when it comes to server compromise:

Registrant:
Blare Media
5756 N. Marks Ave.
Suite 170
Fresno, California 93711
United States

»www.relentlessmetal.com/ ··· ges/ppl/
»www.phishtank.com/phish_ ··· =1094167
canonical name relentlessmetal.com.
aliases
addresses 76.74.253.47
Domain Name: RELENTLESSMETAL.COM
Registrar: WILD WEST DOMAINS, INC.
Whois Server: whois.wildwestdomains.com
Referral URL: »www.wildwestdomains.com
Name Server: NS1.GEODNS.NET
Name Server: NS2.GEODNS.NET
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 14-may-2010
Creation Date: 14-may-2010
Expiration Date: 14-may-2012

»www.fruitfairydelivers.c ··· ges/ppl/
»www.phishtank.com/phish_ ··· =1094164
canonical name fruitfairydelivers.com.
aliases www.fruitfairydelivers.com
addresses 76.74.253.47
Domain Name: FRUITFAIRYDELIVERS.COM
Registrar: WILD WEST DOMAINS, INC.
Whois Server: whois.wildwestdomains.com
Referral URL: »www.wildwestdomains.com
Name Server: NS1.GEODNS.NET
Name Server: NS2.GEODNS.NET
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 22-apr-2009
Creation Date: 16-apr-2009
Expiration Date: 16-apr-2011

I'm pretty sure you know that I know what a compromised server is, so why are you showing me what a compromised server is?
Your examples are from submits at phishtank which is puzzling because we are discussing what is not at phishtank, not what is at phishtank.
You're link to a story about the Mega-D botnet operator being arrested is equally puzzling. I have no idea how you can tie that into a phish submit lull. Maybe you could bring me up to speed by detailing that relationship that you are obviously seeing which is totally evading me.

Okay here is the thought process:

The example that was posted shows how a server on Server Beach which is hosting multiple domain names was compromised. Each singular domain name is being submitted to Phishtank and usual in this format

Re: »xxx.'domain name'/~'same random word'/images/ppl/

As soon as I see the above URL format, over and over again, I know that some server has been PWN and it contains hundreds, maybe thousands of domain names being used in Phishing scams.

After some investigation work it's always the same A name under the same name servers, and or sometimes other name server configuration.

It appears that a person or some organization who does website design and hosts thousands of website on a dedicated server ends up getting hacked. This then creates thousands of listings on Phishtank, increasing the volumes per month even though all the sites have the same A name.

The more that this occurs means the volumes will appear to be large disproportionately during certain months verses months when this doesn't occur.

Phishing sites are either short URL, free hosting sites, single sites registered by the Phisherman, hacked single virtual or dedicated sites , or servers that host multiple sites and or domain names.

In my opinion, I believe that Phishtanks stats are somewhat skewed when reporting multiple sites under the same A name which have the above URL format.

Who's to say that Mega-D botnet operator that was arrested had some part in sending out phishing scams .

uhm, you.

Regardless of the statistical perspective you use to defend or destroy an observation ... I find the combination of the topic and the OP's chosen nickname most enjoyable.

I say thumbs up for the posting and I'll hope for the trend to be confirmed.

I wasn't even aware of "PhishTank". Lurk and learn ... but I am compelled to blab too much to simply lurk!!

Trust me on this one, and this is no bragging I can terminate a Phishing site in less the five minutes after the complaint is sent to either ISP or hosting service.

If more internet users terminated Phishing scams effectively, their would be less fraud on the internet

They will be back. :P