Trusteer, a provider of secure browsing services, has said that the Zeus (Zbot) financial malware is targeting online banking customers of 15 US financial institutions using Visa and MasterCard hoax.

According to Trusteer, after users have initiated a secure online banking session, the Zeus Trojan injects into the browser a facsimile of the familiar Verified by Visa and MasterCard SecureCode enrollment screen. It then prompts users to enter their social security number, credit or debit card number, expiration date, and PIN or CSV code.

The information gathered by Zeus is used by fraudsters to commit ‘card not present’ transactions with retailers that employ Verified by Visa and SecureCode protection. This stolen data allows criminals to impersonate their victims and register with these programs to ensure fraudulent transactions elude fraud detection systems.

Trusteer used its Flashlight remote fraud investigation and mitigation service to discover this new in-session phishing attack, and collect Zeus configurations and code samples from infected computers.

This version of Zeus attempts to trick online banking customers into surrendering their personal and credit/debit card data by claiming new FDIC rules require that they enroll in the Verified by Visa / MasterCard SecureCode program to protect their accounts, claims Trusteer.

Amit Klein, CTO of Trusteer and head of the company’s research organization, said: “While some users may become suspicious when prompted to enter their credit/debit card information as part of the online banking login process, this attack uses the familiar Visa and MasterCard online fraud prevention programs to make the request appear legitimate.

“Fortunately, online banking customers protected by Trusteer Rapport are not vulnerable to this attack since it blocks HTML injection and prevents Zeus from presenting the fraudulent enrollment request.”