We had seen this before, in a spoofed Yahoo signin page. Now let’s tackle a more insidious phishing attempt – stealing bank account information.

A family of spyware is famous for stealing bank account information – the aptly named BANCOS/BANKER spyware family. This spyware has been around the bush for a long time, and has victimized a lot of unsuspecting users through the years. Though most of them only target Brazilian banks, we cannot tell when it will hit other banks.

The BANCOS family utilizes several methods in stealing. The most common are:

• Keylogging – when a user visits any of the target sites, the spyware logs the keystrokes
• Spoofed login page – when a user visits any of the target sites, the spyware displays a login page that is eerily similar to the login page of that site

So the routine is simple: (1) Monitor user’s Web activity and sites visited; (2) when a target site is visited, execute stealing method; (3) send stolen data to a remote user.

The spyware usually monitors sites visited by either checking the browser’s title bar for certain strings, or monitoring IE access to several sites. Once a match is found, it executes the stealing routine. Afterwards, it sends the stolen data in several ways, the most common is to send via email using the spyware’s builtin SMTP engine.

As stated earlier, BANCOS/BANKER targets Brazilian banks. For now.

Symantec’s generic description for BANCOS is here. A typical Trend Micro description (with pictures to boot) is here.