Malware makers are increasingly tailoring their attacks to specific classes of victim, according to researchers with the Internet Security Systems' X-Force team at IBM.
X-Force experts said that malware writers, phishers, and botnet herders are more frequently using so-called personalisation tools to make their attacks more effective.
Much like the online marketing companies that gather information to target advertising at individual web users, criminals are scanning readily-available details about people's computers to more easily find victims.
The approach uses any information that helps determine the right attack, based on factors like the particular browser or operating system that an individual is using.
By combining the more intelligent attack tactic with hard-to-detect Trojan, botnet, and cross-site scripting attacks, cutting-edge criminals are finding plenty of ways to take advantage of end users, said Gunter Ollman, director of security strategy for IBM ISS.
"With every web page request, people send out a header that describes their browser and also tells you what language the request is being made in and sometimes even the cache level of the host it is running on; there's a lot of information in there, including the IP address of the person making the request," Ollman said.
According to X-Force's 2006 annual report on security trends, 30 percent of malicious web sites were already using personalisation techniques by the end of last year. The company said it is expecting that number to grow rapidly in 2007.
"By combining the IP address and all the host details in the browser, we're seeing that attackers build sites that ensure they only use exploits that will work against a specific host," the expert said.
In addition to determining which version of browser or OS software someone is using, many of the attacks can assess what level of security patch a particular program has in place, according to the researcher.
Criminals are also loading malware-infected web pages with numerous exploits to assault many different sets of users, with dozens of pieces of code being served up on a single URL.
Many of the threats are hidden in individual elements of web pages, including Flash files, PDFs and images. Each may contain multiple attacks meant to take advantage of different vulnerabilities.
Ollman said that ISS has also that these attacks are also collecting IP address information from end users to ensure that they don't repeatedly send the same threats to their computers. The smartest groups are also trading information about IP addresses known to be used by security researchers to keep their latest work from being discovered.
"If you browse that type of malware site, it will serve exploit code, but only try it once; they know that people might start to get suspicious if the same part of a site crashes twice or acts abnormally," said Ollman. "These attackers don't want people to get copies of their new code or to know what sites they have hosting the content; they know that sites get closed down or added to black lists very quickly these days if they're not careful."
Ollman said that most of the exploits do not deliver spyware, but instead pass along smaller files known as droppers that are less likely to be identified by anti-virus systems that sit quietly but then call out across the internet and draw-in real malware programs.
Many of the eventual spyware programs that are downloaded are even stealthy, the researcher said. The attacks frequently wait until a user opens a specific site or application before springing to life and beginning to intercept users' details, according to ISS's research.