It’s Christmas, the time of year security vendors indulge tradition by wishing us a merry one, before frightening the stuffing out of us with their predictions for the coming year.

Here’s a cull of recent predictions:

MessageLabs reckons the top worries will include highlights such as more VoIP phishing; “disaster squatting” (nice turn of phrase there), whereby people will set up bogus websites tied to natural disasters; a lot more ransomware where people’s PC data is encrypted in return for a fee; Trojan supermarkets where criminals without programming skills will buy off-the-shelf malware; image spam will come to email; more SPIM hitting IM channels.

Over at McAfee, they’re fussing about a slightly more conventional set of problems: the rise of adware-driven PUPs; more 32-bit rootkits; malware writers will target MPEGs as a distribution medium which will, one assume, mean that social networking and video websites are in for a bad time; bots will continue to pump out spam; mobile phone attacks will start to get serious. To quote the most interesting passage at length:

“The increasing use of video formats on social networking sites such as MySpace, YouTube and VideoCodeZone will attract malware writers seeking to easily permeate a wide network. Unlike situations involving email attachments, most users will open media files without hesitation. Furthermore, as video is an easy-to-use format, functionality such as padding, pop-up ads and URL redirects become ideal tools of destruction for malware writers.”

PandaLabs has no predictions but is obsessed with the various forms of the Christmassy Spamta worm that has been kicking around for some few months now. “This type of activity often peaks over the Christmas period, and with users making more purchases online, the security of their systems could be compromised if they do not have adequate protection installed.”

ISS (now IBM) says remarkably little about the coming year, other than to predict the beginning of the end of multi-factor authentication:

"Enterprises will start to see that multi-factor authentication is cumbersome and ineffective against threats that are present before and during secure transactions to online banking, and will take an active role in securing employee Web transactions."

So it's become obsolete before it has even caught on. How depressing is that?

An then there are a host of companies predicting (on the back of a US CERT advisory) terrorists will attempt to ruin online stock trading with online manipulation, though why they would choose Christmas to do this isn’t explained. They should leave that attack to the accountants.

The doom-mongers have a point though. Counter-intuitively, Christmas is actually a great time of year to launch a sustained malware attack. Workers might take time off but that doesn’t mean criminals need a holiday.