Criminals using a dangerous variant of the Zeus bank Trojan have started hacking BT, Talk Talk and Sky phone accounts as a way of redirecting phone calls from bank fraud services away from victims.
As with other financial malware, the Ice IX Trojan is designed to steal bank logins, emptying accounts of much money as it can without setting off the bank's fraud protection systems that normally pick up on odd or unusually large transactions.
Security company Trusteer has discovered that criminals controlling Ice IX are now throwing up a browser screen as part of the web injection hijacking process that tries to engineer users into give up phone service logins too.
Armed with this data - plus keylogged passwords for the same service - criminals then try to set calls to forward to a number controlled by them. Banks that phone users to query transactions would then be told by imposters that transfers were genuine.
Screens have been discovered for three of the UK's largest phone providers, BT, Talk Talk and Sky, but it is likely that almost any provider could be targeted.
"Faudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank," said Trusteer CTO, Amit Klein.
"This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user."
Ice IX is one of a number of versions built using the source code from the most prodigious banking malware ever to appear, Zeus. Over time, attacks crafted using this family of malware have become increasingly targeted, with the phone service ruse another example of that phenomenon.
Malware gangs are wary of post-transaction verification and will typically test the system to work out the fraud threshold for different institutions and customers.
In one recent example, a New Jersey County lost $19,000 from a business account that had been compromised by Zeus, despite the fact that it contained $13 million in funds. The best explanation for this criminal modesty is that the gang attacking the account wanted to keep its theft as discrete as possible in the short term to avoid detection.