Phishing trojans are typically auto-downloaded from a bogus web page, and secretly log keystrokes as the victim visits an online banking site. Barclays uses a two-step login that includes a secret word as well as the usual username and passord. After the initial login screen, a second page presents a pair of drop-down boxes in which bank customers must select letters from their secret word. Because the secret word is never typed into the keyboard, trojans are unable to capture all the info needed to access the Barclays account.
The "Purchase confirmation" trojan, documented at Codefish Spamwatch, has evolved its multi-faceted attack to address this obstacle.
When a victim logs into the Barclays site, the malware begins logging keystrokes, but also creates "screen shots" - images of the page displayed on the monitor - that show the drop-down menus. The images are saved as bitmap (.bmp) files and then e-mailed to the scammers along with keylogger data. An indicator of the new trojan's sophistication is that it appears to adjust its screen shots for different screen width settings.
"Each time we tested this it work perfectly. The trojan would always grab the exact spot it needed," Codefish Spamwatch noted in its commentary. "This is a huge step in the phisher trojan evolution. Until now most people assumed visual selection systems like the one Barclays had put in place were safe from keyloggers. This is no longer the case. This well designed trojan should make anyone who has complete faith in visual selection systems a little bit worried."