Not every phisher is a “mom-and-pop” style business ran by a random malicious geek in a basement somewhere. Many of them are professional organizations, and to that end many of them have even become entrepreneurs in their own fields. According to the RSA, they have discovered phishing kits for sale, designed to be a universal starter kit for people looking to steal information from others:
Using the 'Universal Man-in-the-Middle Phishing Kit' the fraudster creates a fraudulent URL via a simple and user-friendly online interface, which communicates with the legitimate Web site of the targeted organization in real-time. The victim receives a 'standard' phishing email, and upon clicking on the links, he/she is directed to the fraudulent URL. The victim, then, interacts with genuine content from the legitimate Web site, which has been imported by the attack into the phishing URL, thus allowing the fraudster seamless, invisible, and immediate access to the victims's personal information.
It's an instant 419 scam out of the box, and probably comes with a free prize. Could it actually be effective, and worth someones time to invest in a crook tool? Apparently so, which makes it easier to realize how easily many of the Internet masses are duped.
There's a million answers to problems such as these, unfortunately most of them do not work. Marc Gaffan of RSA says these types of scams are only going to increase in the coming years, and with more and more people getting online it's not that much of a surprise.