Here's the fake screen that you get when you click on one particular phishing email:
What's interesting is that static address, which indicates a possible broadband hosted, static ip address website. Visiting the top level, you get a nice "hello world" type website. As you can see it's using PHPTriad which is an installer of Apache, MySQL and PHP for Windows.
So, did this user knowingly host a phishing site using PHPTriad... or was this software installed using a trojan, without the users knowledge?