The study claims to show that around 37% of respondents to the wide-ranging study of site vulnerabilities and administrative responses to exploitation reported that their websites had phishing or spoof sites planted on their web servers two or more times before.
This telling statistic, says the study, reflects both the persistence of phishers and the difficulties of keeping them at bay.
According to Dave Piscitello, an APWG fellow, phishers value compromised websites highly because they are much harder for interveners to take down.
"They're confident that they'll be able to identify and exploit sites, and do so repeatedly. Victims are not mitigating exploits entirely or are not implementing adequate measures to keep them away", he said.
"Keeping all the components of a website - operating system, web server, applications, and content - patched and applying the most secure configuration options possible could significantly reduce initial and repeat attacks", he added.
The APWG says that its internet policy committee began an online survey for managers of websites that had been exploited in phishing attacks and other malevolent enterprise nearly 18 months ago.
Analysing the reports of around 270 completed surveys reveals that, whilst only one in five victims reported that the attacks were discovered by their own staff, 52% of respondents were informed of the attack by third-party security companies.
Victims also indicated that their web hosting service (18%) or the company that was phished (18%) were as likely to notify victims as the organisation's staff.
"You can't publish active content in Internet time and verify that your protective measures against attacks remain effective. Vulnerability testing, if done at all, is done too infrequently", says Piscitello.
"That nearly 80% of incidents are being detected by third parties tells us that too few organisations take real time monitoring or examination of logs for suspicious activities seriously", he explained.