Whether the openings came from user ignorance or poor judgment, a software maker's error or misconfiguration, the profiteers of the Internet had a banner year turning the security mistakes of others into money.

Signs of the trend are obvious. The number of phishing sites used by online fraudsters jumped more than eight-fold year over year, according to the Antiphishing Working Group. The number of denial-of-service attacks doubled between January and June, according to Symantec, the owner of SecurityFocus. And, mail service provider MessageLabs intercepted, on average, one targeted Trojan horse attack every day in 2006, up from one a week in 2005.

If there is a lesson in 2006, it's that cybercrime is a booming business.

"Cybercrime and the criminals behind malware are getting more and more organized," Karel Obluk, chief technology officer for antivirus firm Grisoft, told SecurityFocus. "They can afford to hire professionals, and it is becoming a business for many people."

The trend is quickly making the defacto term for such code--malicious software or malware--a misnomer. The virus writers and spyware coders are not creating the code for malicious reasons but to make money illegally, making the term coined by antivirus firms--crimeware--more appropriate.

For example, spammers are using bot nets--large numbers of compromised computers controlled by a single person--to help them send a greater volume of messages. The development has increased the global volume of spam by at least a third in the last six months, according to Symantec, though other firms put the increase as high as 450 percent.

When one firm, Blue Security, claimed to have impacted the operations of major spammers, one bulk e-mailer decided to take on the Israeli company. A sustained denial-of-service attack took down the company's Web site, domain registrar and blog site. The company eventually capitulated and closed its doors.

"This is their primary form of employment now--it's a 9-to-5 job," Oliver Friedrichs, senior director for Symantec Security Response, said in a recent interview. "They are not doing it on weekends, and they are not doing it during the summer months."

Other cybercriminals are taking a more personal approach: Hijacking people's stock accounts and using the access to drive up the price of certain thinly-traded penny stocks has also become popular. Details of one scheme appeared in the court papers filed by the U.S. Securities and Exchange Commission (SEC) in support of a civil action against one apparent stock scammers. A Russian national allegedly used a company registered in Belize and based in Estonia to execute trades in stock whose prices had been manipulated by compromised accounts.

Such attacks are not isolated incidents. Account intrusion has resulted in $22 million in losses in the third quarter alone for two U.S. financial firms. TD Ameritrade posted $4 million in losses in their third quarter to account for replacing the funds customers lost due to account hijacking. E*Trade Financial reported that online identity theft by hackers cost them $18 million in the same period.

Identity theft, of course, continued to be a major worry in 2006. Because of data breach disclosure laws that have passed in the majority of states, companies, government agencies and schools regularly released details of significant data leaks.

In May, the Department of Veterans Affairs revealed that the names, social security numbers and birth dates of nearly 26.5 million veterans had been stored on a laptop and external hard drive that were stolen from an employee's home. The laptop and hard drive were later recovered, but the incident resulted in the federal government tightening data handling and laptop security rules.

Both the University of California, Los Angeles and the University of Texas at Austin reported major breaches this year affecting hundreds of thousands of students.

In total, more than 48 million personal records were exposed in 2006, according to the Data Loss Archive and Database maintained by Attrition.org.

For flaw finders, fuzzing became all the rage in 2006.

The technique for systematically finding software flaws, which many researchers frowned on as a tool for script kiddies, fueled the release of information on a large number of bugs in browsers, ActiveX, various operating systems' kernels and, likely, Microsoft Office.

The ability to find a large number of flaws quickly led researchers to search for new ways to make a public-relations splash, resulting in two months of daily bugs. The Month of Browser Bugs, spearheaded by well-known security researcher HD Moore, disclosed flaws in Microsoft's Internet Explorer, Mozilla's Firefox, and Apple's Safari. The Month of Kernel Bugs, managed by a security researcher using the handle "LMH," uncovered flaws in the Windows kernel, the Linux kernel, and the Mac OS X operating system.

The large number of flaws found by such technique helped make 2006 a banner year for bugs.

The number of vulnerabilities reported exceeded 6,400 in 2006, a third higher than the year before, according to data from the National Vulnerability Database, a federally funded effort managed by the National Institute of Standards and Technology (NIST).

Web flaws have replaced other types of bugs as the major source of vulnerabilities. An informal study of the vulnerabilities listed by the Common Vulnerabilities and Exposures (CVE) Project, the source of much of the data for the National Vulnerability Database, found that Web flaws--cross-site scripting flaws, database injection bugs, or PHP file inclusion vulnerabilities--topped the list of flaws found in the first nine months of 2006. The three types of flaws accounted for 45 percent of all vulnerabilities.

"The existence of these web-friendly languages, like PHP, lowers the bar for someone to create a useful application but also lowers the bar for someone to find vulnerabilities in that application," Steven Christey, the editor of the CVE and the author of the draft study, said at the time.

Indeed, a search of the National Vulnerability Database conducted by this reporter found that about 43 percent of the flaws listed in 2006 contain PHP in the description. Randomly checking the bug reports found each issue could be attributed to a Web application written in the PHP dynamic Web language.

The deluge of flaw reports put the topic of responsible disclosure back in the limelight. Vendors and researchers debated the merits of paying bounties for vulnerabilities, while some researchers attempted to auction off information about previously undisclosed flaws. The prosecution of a security researcher that revealed a flaw in the Univsersity of Southern California's online admissions Web database left many flaw finders feeling uneasy.

The researcher, Eric McCarty, eventually agreed to plead guilty.