Security holes in media player and compression software had not previously been used in cyberattacks, according to Symantec.
The attacks involve malicious Web sites rigged with multiple exploits, Symantec said in a security alert. The sites appear to be that of a trusted financial institution, but instead attempt to silently install keystroke-logging software, according to Symantec. Links to the sites are likely advertised in spam, it said.
Symantec discovered the attacks when one of the PCs that it uses as bait was breached earlier this week.
"This compromise was especially interesting, because the site made use of a QuickTime vulnerability discovered in January 2007 and a WinZip vulnerability discovered in November 2006," Symantec said. "Before our analysis, it was not known that these issues were being exploited in the wild."
QuickTime is Apple's widely used media player software, WinZip is a popular tool for compressing and decompressing files.
In addition to the QuickTime and WinZip flaws, the miscreants tried to breach the Symantec system via a pair of holes in Microsoft software, Symantec said. Fixes for all the vulnerabilities are available. Symantec's compromised machine was not patched, running Windows XP with Service Pack 1.
Online criminals typically use a variety of vulnerabilities in an attempt to break into a computer. There are even toolkits available to help attackers create malicious Web sites with a few mouse clicks.
"This discovery highlights both the importance of having a prompt patching schedule and the fact that attackers are keeping up with the times and constantly updating their attack strategies to help ensure ongoing success," Symantec said.