Phishing attacks evolved from simple email attacks quite a long time ago. These days, we still see many attacks with obfuscated links and spoofed Web sites, but the emerging threat is in phishing malware. Even in the malware domain we have seen further developments, from basic key logging to session modification Trojans. The attacks are becoming more sophisticated in order to circumvent the current prevention methods.
Take, for example, the Trojan.Satiloler family. This threat monitors traffic that is sent and received by a Web browser. It can inject script code into received Web pages before they are passed to the user’s browser. If the Trojan finds a predefined online banking Web site, it replaces all of the Web form submit functions with its own functions. This enables the Trojan to control the information flow on that particular site without the user noticing. If a user attempts to make a transaction in an infected browser, he or she will enter a transaction authentication number (TAN), and the Trojan will intercept this code and display a fake error message. The Trojan does not need to know the logon password or any secret challenge handshake, as the Trojan operates from within a session that is already authenticated. It can then submit its own transaction using the unused TAN. The Trojan can also block any further access to the system until a remote attacker has committed a fraudulent transaction.