The Zeus/Zbot banking Trojan is reported to be attacking the Verified by Visa and MasterCard SecureCode verification systems introduced in recent years to stop old-style card not present (CNP) fraud.

Security company Trusteer, which has carved out a speciality in reporting on Zeus/Zbot bank Trojan activity, does not say where and how it encountered the latest attack, but reports that the it is aimed at customers of 15 unnamed US banks.

Exploiting a man-in-the-middle browser attack when it encounters a desired bank login on an infected PC, the malware intercepts and spoofs the enrollment process through which credit card users are signed up for the first time by both major issuers, Mastercard and Visa, throwing users a convincing screen.

This captures a range of sensitive information that could be used to carry out CNP fraud, including social security and card numbers, and PIN or card verification codes. This data is sent in real time to a server run by the attackers.

An image of the bogus screen can be seen here.

Normally, once this enrollment has been set up, only a password is asked for by the system when purchasing items online, which is why the attackers have gone after new users joining the system. An established user would not, presumably, be vulnerable unless they entered the password they created when they signed up originally.

“While  some users may become suspicious when prompted to enter their credit/debit card information as part of the online banking login process, this attack uses the familiar Visa and MasterCard online fraud prevention programs to make the request appear legitimate,” said Trusteer CTO, Amit Klein.

“Fortunately, online banking customers protected by Trusteer Rapport are not vulnerable to this attack since it blocks HTML injection and prevents Zeus from presenting the fraudulent enrollment request.”

Although the latest attack is probably recent, the technique of spoofing verification screens has been reported on and off since 2009.

A major concern for users hit by any fraud resulting from this hack is how to explain how an attacker got hold of the verification data. Quite possibly, some banks could refuse compensation on this basis without supporting evidence.