A version of the infamous Zeus Trojan is taking aim at the mobile phone-based two-factor authentication system used by ING's Polish unit.
The malware targeting ING Bank Slaski was spotted by local security consultant and blogger, Piotr Konieczny, and picked up by F-Secure.
The security firm says the variant, Zeus Mitmo, appears to be the same type of man-in-the-mobile attack discovered by Spain's S21sec last year.
It is designed to steal one-time passwords sent over SMS, known as mTANs by injecting a "security notification" into the Web banking process on infected computers, attempting to lure the user into providing their phone number.
If a phone number is obtained, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.A. If this is clicked on, crooks can intercept the SMS mTANs, enabling them to carry out transactions on the victim's account.
Separately, a new form of financial malware with the ability to hijack customers' online banking sessions in real time using their session ID tokens, has been identified by Trusteer.
Dubbed OddJob, the malware is being used by criminals based in Eastern Europe to attack the customers of unnamed banks in the USA, Poland and Denmark, claims the security firm.
OddJob enables fraudsters to carry out their crime without logging into the online banking computers - they simply ride on the existing and authenticated session. The Trojan can also bypass the logout request of a user to terminate their online session. Because the interception and termination is carried out in the background, the legitimate user thinks they have logged out, when in fact the fraudsters remain connected.
Trusteer says it has been monitoring OddJob for a few months, but has not been able to report on its activities until now due to ongoing investigations by law enforcement agencies.