The New York Times reports that phishing – last year’s next big thing in computer crime – may have nearly run it’s course in the face of this year’s cybercrime of choice: keylogging.

The Times’ Tom Zeller says keylogging programs "silently copy the keystrokes of computer users and send that information to the crooks. These programs are often hidden inside other software and then infect the machine, putting them in the category of malicious programs known as Trojan horses." Keylogging depends on "infection" instead of "deception" – the key component of phishing is tricking computer users into giving private information like account numbers and passwords to fake websites.

Mr. Zeller quotes Christine Heopers, general manager of Brazil’s Computer Emergency Response Team: "These Trojans are very selective. They monitor the Web access the victims make, and start recording information only when the user enters the sites of interest to the fraudster…In Brazil, we are rarely seeing traditional phishing."

Antivirus leader Symantec says half of the malware it monitors is designed to gather personal information, not destroy data. iDefense reported over 6,000 keylogger variations in 2005 – up 65 percent from 2004.

Last Fall the FDIC imposed more stringent identification requirements for online banking – which explains why we were required to change our passwords in October, 2005. Some say this is not enough to defeat keyloggers and call for alphanumeric generators that produce new password every 60 seconds. Others, like Eugene Kaspersky, co-founder of a computer security and antivirus company in Moscow, believe it’s time to increase law enforcement. "There are more criminals on the Internet street than policemen." Mr. Kaspersky told the Times.

Still others claim the threat is overstated: "I get concerned that we’re scaring people off the Internet," Sun-Belt Software’s Alex Eckelberry told the Times; "There’s a lot of hyperbole out there."

That may be a tough sell for Miami business owner Joe Lopez, who was hit for $90,000 by keyloggers who diverted cash to Latvia from his Bank of America account. According to the Times, Bank of America declined to cover the loss, because Mr. Lopez holds a business account rather than a personal account (under which his liability would be limited) and claiming it was his fault anyway. Imagine the public relations nightmare of Lopez v. BofA.

Sad to say, the best preventive measures at this point involve up-to-date antivirus applications and software patches (if you’re a Windows user). That, and casting a suspicious eye on unfamiliar web links and unverified downloads. Sigh. What a world.