Cyber Crime 2.0

The Storm worm also pioneered the use of alternative file formats to evade anti-spam filters, with spam messages propagating the malware embedded in Adobe PDF files, Microsoft Excel documents and even MP3 music files.

Technologically speaking, Storm reached far beyond anything security researchers had encountered in the past. Where most "'botnets" -- large grouping of computers controlled by a hacker or organized crime group -- tend to be controlled from centralized locations through a hierarchical structure, each Storm-infected computer receives updates and instructions via a distributed peer-to-peer file sharing network, the kind typically used to trade music and movies.

The distributed nature of the Storm worm network makes it far more difficult for researchers and law enforcement to shut it down or accurately gauge its size. Estimates of the number of PCs infected by Storm this year ranged wildly from 1 million to 10 million worldwide.

Tom Gillis, vice president of marketing for IronPort, a San Bruno, Calif.-based e-mail security firm, said the Storm worm's success as a reusable platform for reliably delivering junk e-mail is almost certain to attract attention from copycats in 2008.

"Storm brought the first implementation of spam that linked to YouTube to deliver its message and payload," Gillis said. "Within months, the creative Storm used for its site became much more refined, including football Web sites timed to coincide with [the start of] the NFL season, and then scary screensavers around Halloween. Someone behind that gang is a marketer who understands the mass market and the consumer."

Overall, Storm contributed mightily to the flood of spam e-mail sent in 2007, which increased 100 percent over 2006, according to IronPort. That's roughly 120 billion spam messages daily, or about 20 spam e-mails per day for every person on the planet.

'Spear Phishing' and Targeted Attacks

The past year was also the first in which a good percentage of spam included the recipient's full name in the subject line. For the most part, that personalized touch was included as a means of enticing people to open junk e-mail messages touting knock-off prescription drugs or designer watches.

But nowhere was the personalization trend more evident than in this year's bumper crop of "phishing" attacks -- scams in which fraudsters use spam messages to trick people into entering their personal and financial data at fake e-commerce and banking sites. U.S. consumers lost roughly $3.2 billion to phishing scams in 2007, according to a survey by Stamford, Conn.-based research firm Gartner Inc.

In an alarming number of cases this year, phishing e-mails contained personal details about the recipients in both the salutation and body of the messages.

Such was the case with nearly a dozen separate incidents throughout 2007 in e-mails that appeared to have been sent by the Better Business Bureau, the FBI, the Federal Trade Commission, the IRS and the Treasury Department. The approach of each attack was nearly identical: Recipients were addressed by their full name in an e-mail that claimed that a complaint had been filed against the recipient and his or her employer. Recipients were asked to review the complaint by opening an attached document, which silently installed a password-stealing program when opened.

Mark Sunner, chief technology officer of MessageLabs, an e-mail security company based in New York City, said some of the attacks exclusively targeted executives at many of America's largest corporations. Sunner believes that next year scammers will actively mine social networking sites like FaceBook, LinkedIn and MySpace for even more details about recipients that they can later use in phishing and malware-related attacks.

"These attacks have become much more tailored, and phishing is becoming much more laser-focused," Sunner said. "This is the where the slightly more sinister side of social networking sites start to play a part."