There was no Melissa virus in 2007, no LoveBug, no computer worm that brought corporate America to its knees for an afternoon. In fact, many experts suspect the days of that kind of cyber-havoc are over.

Today, cyber atttacks are more stealthy -- and much more successful. If 2007 offers any hints of what's to come, technology users will face a much wider spectrum of attacks next year. Their identities will be stolen, their computers will be hijacked, and probably, their handheld gadgets will be targeted like never before. Social networks will be a prime target for criminals, and cyber-spying may very well come of age.

Below you'll find a list of things tech users should worry about next year. But first, a quick recap of this year's techno-crime.

Massive data leaks grabbed the biggest headlines in 2007. In January came news that retailer TJ Maxx had suffered a serious hacker attack, and word eventually trickled out that nearly 50 million credit and debit cards were put at risk by that incident. Toward the end of the year, the British government had to admit it lost data on nearly half its population. And in between, the amount of data lost on U.S. residents eclipsed 215 million records, according to the Privacy Rights Clearinghouse. Sometime in 2008, I can safely predict, a piece of data will be reported lost for every single U.S. citizen, an astonishing number.

More astonishing? Not much will be done about it.

But while data leaks might be troubling, there's another technology headache that caused far more damage last year -- the attack of the (ro)bot armies.

This was a devastating year for many home computer users, and most people probably don't even know it. Vint Cerf, a founding father of the Internet, said in January that perhaps one-quarter of all PCs were infected with a computer virus, or "bot," that gives a hacker total control of their machine. There is some dispute about the total number of infected machines, but there's little disagreement that tens of millions of users are infected -- meaning at least one computer on your block right now is doing the bidding of a criminal.

Meanwhile, millions of consumers fell for phishing e-mails. Gartner's Avivah Litan released a study in December suggesting that U.S. consumers continue to fall for fake e-mail at alarming rates, losing $3 billion in the process.

How could cybercrime be committed on such a massive scale? Millions of infected computers, billions of dollars? Simple: the real story this year is the increased professionalism of cybercrooks. In fact, an entire new industry has formed around phishing and viruses, says Symantec researcher Vincent Weafer – cybercrime customer support.

Russian hackers are now writing software that automates many attacks. A program named "Mpack" lets malicious programmers create viruses that infect home computers with a few mouse clicks. Software called "Rockfish" automates creation of phishing campaigns. Both sell for hundreds of dollars, and even come with support contracts. And both, Weafer says, allow hackers to profit off cybercrime without ever having to get their fingers dirty with actual theft.

"The top three automation tools accounted for about 40 percent of all phishing e-mails in 2007," Weafer said.

So if 2007 was the year of the automated theft, the 'bot armies and more phish than an aquarium, what does 2008 have in store? Here are some predictions for high-tech crime and other tech troubles in the New Year.

NEXT YEAR
1) More targeted phish
Criminals are refining their attacks in other ways. They've learned that the more personal a fake e-mail is, the more likely a consumer will fall for it. You probably won't answer an e-mail from a credit union where you don't have an account. But if the e-mail is addressed to you, indicates your home town, and comes from your bank, you just might fall for it. Also, studies have shown men are much more likely to fall for e-mail trickery that comes from women. Expect much trickier phish next year.

2) Social networking attacks
Criminals have been probing MySpace and Facebook for a while now, looking for ways to take advantage of the huge audiences these sites command. So far, both firms have contained such attacks, in part because their closed networks are hard to inject with malicious code -- and attacks are easy to stop once they happens. But as third-party tools and applications become more popular, Facebook and MySpace attacks will become much easier.
Still, even if there is no noteworthy "Facebook virus," criminals already make extensive use of social networking sites, says Weafer. Using tools borrowed from marketing gurus, computer criminals are now building extensive databases with potential victim profiles (for use in targeted phishing attacks, for example). Social networks are the perfect place to do such research, and once again, automated tools have been developed for just that purpose. Software "scrapes" social networking sites, depositing tidbits into a database for use in later social engineering tricks, Weafer said.

3) Cell phone attacks
For years, experts (doomsayers?) have predicted a cell phone virus would eventually be created that would rampage through the world of mobile handsets. It hasn't happened, largely because cell-phone software and hardware vary so much; uniform PCs were always a much easier target.

But with the continued adoption of smartphones, which use software that works much like traditional PC software, most experts think it's only a matter of time before cell phones suffer a full-fledged attack.

"All devices hooked up to the network will become equal opportunity targets very soon," warns David Smith, vice president of research firm Technology Futures Inc.

4) Nation-state attacks
You might have missed this story because it didn't involve the U.S. government, but a remarkable thing happened earlier this month, according to the Times of London. The secretive MI5 agency sent warning letters to 300 banks saying they should be on the lookout for Chinese hackers. Cyberspies had already attacked Rolls Royce and Royal Dutch Shell, the newspaper said.

British officials never confirmed the report, but earlier in the year had issued more general warnings about cyberattacks.

It certainly wasn't the only reported incident of cyberwar last year. In the most notable event, Estonian officials in May blamed the Russian government for disabling its Web sites after a political scuffle between the two nations.

As with any such accusations, it's nearly impossible to confirm who was behind these attacks. But Smith, thinks the long-promised Cyber Cold War may finally be emerging.

"(Next year) will see a continuance of such attacks by China on Western governments and industry," he said in his annual list of technology predictions. "More penetrations of government agencies and labs will be uncovered and publicized."

Dramatic attacks on infrastructure are not likely; rather, these attacks will be more subtle and focused on information-gathering, he said. "They are basically data mining, or spying."

5) More interruptions, more lost sleep
Lost in all the discussion about child predators online is the much more widespread problem parents face: sleepless kids who stay up all night IM'ing friends and posting pictures instead of doing homework. Teachers report more sleepy students than ever, and with the addiction that is social networking, the problem will only get worse. So will its adult version, the CrackBerry addiction. Basex Inc. recently estimated that endless interruptions from our gadgets costs the U.S. economy $650 million last year. That estimate is a bit goofy, but I'm sure we've all had a conversation with someone who's distracted by e-mail or texting. How can we put a price tag on the fact that we're all starved for undivided attention? As e-mail phones become ubiquitous, the problem of divided attention will only increase.

6) More bots
Finally, just because we've already talked extensively about the problem of bots doesn't mean it can't get any worse. In fact, it will. Virus writers are so good at their craft now that they can take control of a home computer, use it to commit crimes or send out spam and never be detected. As long as consumers are unaware that they are accomplices to a crime, they won't do anything to stop it. Despite a few high-profile arrests and a concerted effort by the FBI to stop the problem (the "Bot Roast"), criminals will control more computers than ever next year.

What do you think will happen next year? Share your thoughts below.

By now, you probably know that gift cards sometimes come with hidden fees that make them lose value over time. But you might not know that bank cards -- which don't come from a specific store -- have the worst fees of all. Click to watch.

With time running short for online gift shopping, you may end up paying more than you should in tack-on fees and charges. Many Web sites advertise low prices, but conceal the true price -- including shipping, handling, and "expedited service" charges. But if you don't compare "out the door" prices, you'll never get the best price. Click to watch.

Thanks to last year's scandal at Hewlett-Packard, consumers learned how easily private investigators can trick companies into divulging personal information. Now, thanks to a new federal indictment full of data theft allegations, we know they also can trick the IRS and the Social Security Administration into handing over information.

Ten suspects were indicted last week in Seattle for allegedly impersonating consumers and obtaining their bank records, tax returns and Social Security earnings statements.

According to the indictment, the Internal Revenue Service and the Social Security Administration were repeatedly tricked into coughing up very sensitive documents. In one case, the IRS gave a defendant nearly 10 years worth of tax records, the indictment alleges. In another, a suspect allegedly obtained tax records by claiming his accountant had recently been fired for embezzlement and the information was needed for verification purposes.

In all, 12,000 consumers were victimized by the defendants from 2004-2007, the indictment alleges.

At the center of the crime, according to the indictment, were a Emilio and Brandy Torrella, a Seattle couple, and their employee, Steven Berwick. Operating as BNT Investigations in Belfair, Wash., the three allegedly took orders from private investigators around the country and filled them by impersonating the targeted consumers. The other investigators then resold the information.

"This indictment alleges that private investigators across the country illegally obtained confidential information and sold it to the clients who hired them," Jeffrey C. Sullivan, the U.S. attorney for western Washington, said in a statement accompanying the indictment. "This is a very serious matter. The investigation is continuing and it is our intention to go after these 'clients' if we can prove that they knew this information was obtained illegally."

Many of the crimes took place -- and the information was divulged -- while the Hewlett-Packard pretexting scandal was splattered in the headlines, according to the indictment. In that incident, H-P hired investigators to obtain phone records belonging to reporters in order to determine the source of a news leak.

And about the same time Congress was debating a law that would firm up rules making the release of telephone records illegal, federal agencies were giving even more critical records to the imposters.

Who paid for it? Still a mystery
There is very little information about the alleged buyers of the data in this week's indictment, which says only that the data was used by "attorneys, insurance companies and collection companies to investigate the backgrounds of opposing parties' and witnesses and to uncover assets or income for satisfaction of debts."

The Torrellas and Berwick used various story-lines to get the information, often invoking some measure of desperation or emergency, according to the indictment. For example, the imposters might say they were at a hospital awaiting surgery, "but the hospital would not perform the operation until (it) received copies of tax returns," it said. In other cases, the defendants pretended to be "battered spouses who needed the information to avoid more beatings" or to avoid "having a child abducted," it said.

While the stories were extravagant, the prices were not. The indictment alleges that the defendants charged $130-$250 per year for tax information. $75-$125 for Social Security information, $100 for bank account balance data and $150 for five years of medical records.

Orders didn't take long to fill.

According to the indictment, on Jan. 3, a San Diego-based investigator requested "employment and earnings history as far back as possible." Five days later, the Torrellas allegedly provided federal income tax records from 2000 to 2004, forms that were given to them by the IRS, it said.

Four days later, President Bush signed into law a bill that made obtaining consumer phone records through pretexting expressly illegal.

Results in one day
Sometimes the results came even quicker. On Sept. 14, 2006, agents working for a Brooklyn-based detective agency called the Torrellas and asked for "10 years of asset information" on a subject, the indictment says. Two days later, they allegedly handed over\"information obtained from 1998 through 2005 Federal Income Tax Returns" to the Brooklyn firm.

"It was not clear precisely how the IRS records were obtained."

IRS officials said it would be inappropriate to discuss the allegations in the indictment.

Forms for obtaining past tax returns are available on the IRS Web site, but require the applicant to go through a fairly elaborate process. But "transcripts" of tax returns -- electronic summaries with the most-relevant information -- can be obtained by faxing a one-page form to the IRS. The form asks only for a Social Security Number and a signature.

An IRS official who asked not to be named said the agency does take additional steps to verify the authenticity of such requests, but would not discuss what those steps are, citing security concerns.

The indictment alleges the Torrellas were able to get other federal agencies to release private information.

For example, on Aug. 4, a Beaverton, Ore., firm ordered five years of employment history, a medical records search and a list of pharmacies used and prescriptions filled, it claims.

That same day, the Torrellas provided "details of wages reported to Social Security for 2002 through 2006, report of medical records for 2003, including prescriptions taken and emergency room visits," the indictment says.

The Social Security Administration's Inspector General's Office is investigating.

'Thousands of times a day'
Rob Douglas, who has testified before Congress about the issue of pretexting and personal information, said he wasn't surprised by the seeming ease with which the information described in the indictment was obtained.

"I tell people this is happening thousands of times across the country every day and people don't believe me," he said. "Well, here it is."

Douglas pointed to the congressional testimony of Al Schweitzer four years ago as offering the simple recipe for obtaining this kind of information. Schweitzer, who described himself as a former pretexter, said he used various "gags" to get the data he needed, and always followed a simple formula:

"Identify the piece of information you are after; identify who or what institution is the custodian of the information sought; based on real world situations or actual operational procedures of the target institution, figure out under what circumstances and to whom the desired information would be released; be that person under those circumstances."

The questions are all too familiar, and all too intimate:

"Can I see your driver's license?"

"Can I have your phone number?"

"Do you have another form of ID?"

But how do you answer? It seems that to shop is to be interviewed. Everywhere you go, you are asked invasive questions. And every time you look at the news, you see another company is losing consumers' data.

So you would probably rather not answer those kinds of questions, but can you say "no"?

Yes, say legal experts. In fact, sometimes of those questions are against the law or violate credit card association terms and conditions.

Of course, if you refuse to provide the requested information, a company can refuse to do business with you. Sticking up for yourself is almost certain to lead to a small scene at the store, something I call "data bickering." And since it seems like everyone asks questions like these all the time, it's not practical advice to "just say no." But it helps if you can say, "I know my rights."

First in an occasional series, "What do you do if ... ?"

Well-placed complaints can be surprisingly effective. But hitting a store where it counts -- at the cash register -- is more effective than complaining through government agencies. Here are some tips:

1. TELL THEM THEY ARE BREAKING CREDIT CARD RULES
Recently, I shopped at a small furniture store that requires a driver's license for credit card purchases. The clerk even enters the number into a computer. When I balked at this, she cited company policy.

It turns out, the store's policy violated Visa policy. On page 28 of Visa's merchant agreement (available here as a .pdf file), the association informs merchants that they are not permitted to require additional identification for credit card purchases.

Complaining is simple. Call your credit card issuer (your bank) and tell them. They will in turn pass the complaint along to the acquiring bank (the store's bank). That might sound like a meaningless paper trail exercise, but it isn't. Violation of Visa terms can actually get a merchant knocked off the credit card network, which is nearly the death penalty in today's retail world. Visa officials wouldn't discuss this, because the company is in a quiet period prior to its upcoming initial public offering of stock. But from prior interviews about another common violation of Visa rules – requiring a minimum purchase amount for using a credit card -- I know it doesn't take many complaints for Visa to get on a retailer's back.

Of course, few store owners know about the alternative identification rule, and clerks probably won't believe you when you tell them. But even if you can't talk a clerk out of a demand to see and copy your license, your complaint can still call in heavy hitters after the fact. So you might get some satisfaction from saying simply, "Asking me for this information is in violation of your merchant agreement. Keep doing it and you might not be able to accept credit cards."

There are some exceptions to this rule you should know about. The key one -- if you hand a clerk a credit card that's not signed, the clerk is obliged to ask for an alternate ID.

2. ASK IF THEY TAKE OUT THE TRASH
The problem is much broader than phone number or license number requests by retail clerks. Unfortunately, there aren't many rules governing other data bickering situations.

Betsy Broder, assistant director of the privacy and identity theft division at the Federal Trade Commission, says consumers who refuse to give up personal information don't really have any special legal protections. There is no overriding privacy law that limits the information businesses can collect.

There are a couple of narrow laws that give consumers limited protection. The Gramm-Leach-Bliley Act governs certain kinds of financial information, and essentially makes it illegal for banks to share your account information with other entities. The Health Insurance Portability and Accountability Act (HIPAA) offers similar protections about sharing of health information. But that doesn't stop medical offices from asking for your Social Security number within earshot of other patients, or from using it cavalierly as an identifier on basic forms.

When a nurse asks for your SSN, it's hard to say "no." Here's how one federal worker I spoke with addressed that situation recently: she refused to give her SSN to a nurse, who subsequently insisted the staffer couldn't get treatment without placing a number on the form. Eventually, the staffer took that request literally and filled in a random 9-digit number and informed the nurse that she had used dummy data on the form. She got her treatment. (She also refused to let me use her name, for obvious reasons).

Without taking such extreme measures -- note, the staffer doesn't endorse supplying fake SSNs -- there are FTC directives that you can invoke. Any entity that collects information like Social Security numbers (including you, if you hire a nanny or some such) must properly dispose of that information. Failure to do so could result in an FTC lawsuit. In other words, if a store writes your driver's license number on a piece of paper and leaves it on a counter, it could be in violation of the FTC data disposal rule. Broder said the agency has yet to file a case of that nature, but you might get the attention of a clerk simply by asking, "Is your company in compliance with the FTC data disposal rule?"

As a follow-up, you might ask how long the company plans to keep the information on file. For fun, tell the clerk that TJ Maxx ended up losing driver's license numbers it had collected five years earlier, and it recently ended up paying nearly $100 million to settle lawsuits surrounding the incident. That was an expensive mistake.

3. TELL THEM THEY ARE BREAKING THE LAW
As a last resort, you might also announce to the clerk that he or she may very well be breaking state law by asking for personal information in credit card transactions.

Chris Hoofnagle, a privacy law expert at the University of California, Berkeley, points out that California law expressly prohibits companies from requiring additional information when accepting credit cards. Stores can't make note of your phone number or address. They can't even hint to consumers that such information is required. Here's the relevant section of law:

Companies cannot "require as a condition to accepting the credit card as payment ... the cardholder to write any personal identification information upon the credit card transaction form or otherwise," the law says. And companies cannot "utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information."

Note: A retail company can ask to see a photo ID card, but it cannot write down or store this information.

The California law has teeth. Consumers can sue companies that require additional information with credit card transactions and win big money. Civil penalties of $250 for the first violation and $1,000 for subsequent violations are awarded to consumers when companies break this law.

So here's a pretty effective thing to tell a clerk who's about to violate your privacy:

"If you write down that number, you might as well reach into your cash register and give me $250, because it's going to cost you."

If you don't live in California, check with your state's consumer protection statutes before invoking this language. If you don't know where to begin, call your state attorney general's consumer protection office.

Unfortunately, there are few other laws to protect consumer privacy. Ditto on rules to discourage over-collection of information, or to provide "expiration dates" on data that is collected and stored far beyond its usefulness to the company.

"That's why companies are not really thinking about what they are gathering, or how long they are keeping it," said Rob Douglas, a privacy expert who operates IDAlert.info. "And we've become such sheep giving it away. It's a rarity that consumers object to data collection."

Share your data self-defense stories
It doesn't have to be that way. When asked for data, just say "no" – at least initially. If you're told you will have to leave the store or medical office, then you'll have to make a choice, and often you will decide to surrender the information. But before you do, put up a bit of a fight. The more you complain, the more uncomfortable you make a clerk or a company, the more you'll make the folks at headquarters reconsider their need to know everything about you.

Have you made a scene when asked to divulge personal information? What has worked for you? Share your stories of privacy self-defense with other Red Tape Chronicles readers.

James Jackson, with wife Sharon and daughter Taylor.

Five years ago, James Jackson stood before a federal judge and confessed to some of the most audacious crimes of identity theft ever committed. He stole nearly $1 million in diamonds and Rolex watches by pretending to be recently deceased corporate executives.

It was just the latest in a long string of identity crimes dating back 25 years, long before the term "identity theft" had even been invented. By then, Jackson was already an ID thief to the stars, having impersonated a long list of corporate executives and Hollywood personalities. He eventually was given the nickname "father of identity theft" by some media outlets.

Back in 2002, Jackson had been in and out of jail for 15 years, managing to get by with relatively short stints each time. But this time, U.S. District Judge Deborah Batts had little patience with Jackson's explanations. In the courtroom was a diagram of the complex schemes he had operated and the 29 felonies to which he was about to plead guilty. "The defendant's crimes are everyone's worst nightmare," Batts wrote at the time. Urged by the U.S. attorney's office to give Jackson the maximum penalty, Batts sentenced him to eight years in prison – setting the beginning of the term in 2000, when he was first arrested.

This month, Jackson was released to a halfway house, his sentence reduced by a few months for good behavior. He's now an employee of First Choice Staffing Services in Memphis, Tenn. In March, he will be a free man.

"It's going to be different this time, I won't go back," Jackson said during a telephone interview from his new office.

A low-paying desk job is certainly a new life for Jackson, who spent the better part of two decades quite literally living the lifestyle of the rich and famous. He owned fleets of sports cars, bought his wife mink coats, and had homes in several states. He funded the extravagance by pretending to be CBS' Larry Tisch, or General Motors CEO Robert Stemple, or Edward Brennan, CEO of Sears, or some other well-heeled executive. He even impersonated women.

In about 150 letters sent to me from a federal corrections facility in Forrest City, Ark., during the past three years, Jackson offered intimate details of his decades-long march through the identities of rich and famous Americans. He decided to share his exploits, he said, in order to help draw attention to the problem of identity theft, and to help companies learn how to prevent the crime. The letters are the basis of "Your Evil Twin: Behind the Identity Theft Epidemic," published in 2005. The first chapter of the book is available free on MSNBC.com.

In his letters, Jackson said he managed to fly around the country at little cost, using a technique not unlike that of famed imposter Frank Abagnale, subject of the movie "Catch Me if You Can." Jackson adopted the identity of a Federal Express employee and took advantage of deeply discounted plane tickets for cheap travel. He also says he monitored the purchases of luminaries like Stephen Spielberg by checking their credit card statements on a regular basis.

More fraud from the inside
Jackson even continued his identity crimes from behind bars. Jackson smuggled a cell phone into prison and used it to commit credit card fraud while working landscaping detail. He charged the phone while sitting in the prison's landscaping truck. He hid it in the truck's air vents when he wasn't using it.

Now, Jackson is making cold calls, trying to convince local businesses to hire temp workers from First Choice. And, he says, he loves it.

"It feels great. It feels refreshing to be able to get a little fresh air," Jackson said. Last weekend, he was granted his first pass, so he could spend 12 hours with his wife -- the first time they'd been truly alone in years. "To be able to do something as simple as go to McDonald's and sip on a shake, it feels super."

Jackson's first frauds date back to the 1980s, when he began staging fake car accidents and collecting insurance payouts. But he quickly graduated to credit card fraud. An early stint in prison helped.

"I had a Nigerian professor," he says, "who taught me everything."

By all accounts, Jackson is a master manipulator. Before his last sentencing, Jackson's defense attorney Robert Dunn decided he might have luck getting leniency by convincing a judge that Jackson had a mental problem. So Dunn sent Jackson to see one of New York City's best psychologists for a defense-friendly diagnosis. Jackson fooled the counselor, who diagnosed him with a gambling problem. Batts, who was privy to the long list of prior convictions that showed no evidence of gambling activity, saw right through the diagnosis.

"James outconned his Goddamn self," Dunn said during a 2005 interview.

A real charmer
Prison did nothing to change Jackson's charming demeanor. His conversation is punctuated with the eager politeness of a southerner; he insists on using proper titles like "Mr." and "Mrs." long after it seems necessary. He laughs loudly and easily, and says he wants to devote the rest of his life's work to warning people about the dangers of identity crimes and what he calls "fundamental flaws in the system." He plans to turn his gift of gab into a productive career in public relations –- or like Abagnale -– as a consultant and guest speaker on identity theft issues.

When not waxing about identity theft, he talks of caring for wife, Sharon, and 7-year-old daughter Taylor.

"My daughter is on the honor roll," he said.

Genteel hasn't always been Jackson's style. Ten years ago, while awaiting trial in Arkansas on another crime, he sent a box of spiders to federal Judge Julia Smith Gibbons' home to demonstrate that conditions in the jail were sub-par. He'd collected the critters in his cramped jail quarters. Her home address, of course, was supposed to be a secret. So was the home of the FBI agent who helped arrest him. But, while in jail, Jackson hunted his home address down and called in a fake domestic disturbance as a prank, according to court documents.

Jackson is probably the first high-profile ID thief to be sentenced to serious jail time, and so, he is among the first to be released. There is no data on recidivism among identity thieves, but the temptation to return to the digital-age crime will be enormous. And the last time James got out, within weeks, he was back at it again, calling funeral homes to get Social Security numbers, ordering diamonds with money stolen from a dead man's bank account.

But this time, James said, things are different.

"I am all about helping people now and doing what I can do to forestall this crime," he said.

His boss, Dean Langston, is also optimistic. She's worked with hundreds of former convicts during the past 25 years in the temporary staffing business. She hand-picks halfway house residents that get to work on her staff, and says, as far as she knows, she's never had one return to a life of crime.

"(Jackson) is a good talker. So I said, 'Let use that talent,'" said Langston, general manager at First Choice. Instead of allowing him to work at outside companies, Jackson is working directly for her, makes sales calls and setting up appointments with prospective new clients. "I want him to stay focused and stay on the right track. I want him to know that there is a legitimate way to make a living." Jackson is not allowed near any personal files at the firm, she said, and his use of technology -- such as cell phones and computers -- is severely limited.

"He sits at a phone and makes calls and talks to people," she said. "He's got a talent for that."

A good use of skills
Telemarketing requires incredible patience, and the ability to endure rejection -- skills every identity thief must also posses. When Jackson impersonated Gordon Teter, the recently deceased CEO of Wendy's, in 2000, he tried to get more than $100,000 wired from Teter's account at Fifth Third Bank in Ohio to diamond dealer Mondera.com, in order to buy expensive jewelry. At first, the bank operator said no. So Jackson simply hung up, called back and got a new operator. He also lowered the request a few dollars, and added new urgency -- this time, he said it was for a time-sensitive stock purchase. The operator quickly coughed up the funds.

Jackson will need much more patience than that to make it in the real world, says Rob Douglas, an identity theft expert and former defense attorney who has studied recidivism among fraudsters.

"I hope the guy has learned his lesson. He did serve significant time," Douglas, who runs IDAlert.info, said. But other con artists he's worked with rarely stay out of trouble when they are released.

"When it comes to identity theft and (imposters), they seem to have this love of the game. It's a challenge to them," he said.

It's hard for any former criminal to get a legitimate job, Douglas said, but even harder for con artists. No company wants to trust a former identity thief in an office setting.

"It's difficult for them to get a job that's going to pay what they were able to make committing 'victimless' crimes," he said. "The time could come quickly when James is faced with a choice: Do I continue to try to live an honest life and scrape by or can I beat the system this one last time. More often than not, criminals decide, 'I can get away with it this one last time.' And of course, it's never the last time.'"

You might want to take an extra half-second the next time you click on search engine results to make sure you know where you're going. Computer criminals have refined a sinister technique for tricking Web surfers into clicking on infected Web pages, turning search engines like Google into unwitting partners.

It's known as "Google poisoning," because Google is the biggest target, but it can impact any search engine. Criminals construct booby-trapped Web pages, then dupe search engines into giving them high rankings.

Last week, security research firm Sunbelt Software found that a simple search for something like "funny dog picture" on Google directed searchers to Web sites hosted on Chinese domains. Those who clicked on the links were pushed to install a malicious program named "Spy-shredder."

Last week alone, criminals posted 40,000 to 50,000 of these malicious pages in a single, coordinated attack, said Alex Eckelberry, CEO of Sunbelt.

"What has surprised security researchers was the scale of this," Eckelberry said. "This was a very big attack, a very fast bolt from the blue."

Those who fell for the trick suffered "a bad infection," he added. "There was a lot of nasty software out there."

Google removed the links from its database immediately when notified, Eckelberry said. But the criminals were back the next day with more virus-laden Web sites on different domain names.

A Google spokeswoman who declined to be identified said the company is aware of the problem and working to keep its results clean.

"Google works hard to preserve the quality of our index," the company said in a statement. "We actively identify sites that serve malware or abuse our quality guidelines in other ways."

Not new, just more sophisticated
Publishing booby-trapped Web sites or "gaming" Google's search algorithms aren't new practices. Readers of this column might remember a recent entry concerning Search Engine Optimization. Called "SEO" by practitioners, search engine optimization runs the spectrum from legitimate linking to affiliated Web sites to the creation of hundreds of fake sites designed to artificially inflate Google rankings, which essentially judge how many links a Web page attracts.

URLs that end in .CN could arose suspicion
But criminals are now combining SEO tactics and booby-trapped Web pages, and doing it systematically. By posting tens of thousands of Web sites simultaneously, criminals can take over all the top spots on a search results page, casting a wide net that's more likely to catch Web users.

Eckelberry described these criminals as "SEO Gods," saying they can "take any site and get it on the first page of Google results."

'Comment spam' also a problem
In addition to cross-linking all these fake Web sites, criminals are also engaging in "comment spam" to enhance their search engine rankings, said Zulfikar Ramzon, a researcher with antivirus firm Symantec Corp. Popular blogs -- including the Red Tape Chronicles -- are regularly bombarded with computer-generated, meaningless comments that include a link to another site. By getting a link on a popular Web site, the spammer's Google ranking improves. We try to keep comment spam off MSNBC.com, but it often slips onto blogs all around the Web.

No one knows how successful the tactic is, though Eckelberry points out the criminals wouldn't keep doing it if it didn't work. Still, even an attack of 40,000-50,000 fake Web sites still represents an infinitesimal portion of the sites in Google's index, making the odds of any individual consumer encountering a poisoned Google link still quite small.

"I don't want people to get scared of Google," he said. "Google is impressive with how quickly they remove bad sites."

RED TAPE WRESTLING TIPS
It's wise to look both ways even when crossing a quiet street, and it's wise to take an extra glance before clicking on a search engine link. Google makes this easy by listing the URL under each search result. In the most recent attack, potential victims might have noticed the .cn suffix on the end of each domain name, a signal that the Web site might be in China and might include unexpected content.

That's not a foolproof strategy, however. Computer crooks sometimes deploy a technique called "Google cloaking," which tricks the search engine into displaying the wrong URL on search results pages, Eckelberry said.

Old advice also works well here: Keep up with security patches. This latest set of attacks relied on vulnerabilities that allow a Web site to install software onto a visiting computer without a user's knowledge. Fully patched systems merely received a pop-up window inviting users to download video software -- a much easier attack to avoid. Again, this is not a foolproof protection, but keeping your security current severely decreases your odds of being infected by Google poisoning.

Finally, Eckelberry recommends that Windows users set up separate user accounts for their children. That will limit the damage that a child can do by searching the Web with your computer.