What do you get when you cross a phishing e-mail with a virus? I don’t know exactly, but the thought makes my blood run cold.
A bright red alert that I first saw this afternoon reports that some visitors to the American Express secure website are seeing the following pop-up dialog box, which asks them to enter their Social Security number, mother’s maiden name, and date of birth – enough information, in short, to open dozens of credit accounts and steal an identity:
Let me repeat the really chilling part: According to American Express, people are seeing these pop-ups when they’re on AmEx’s secure site!
The AmEx page that warns about this scam is very short on details, but it suggests that they first received notice of this attack around March 29, 2006. The security alert also contains this hint that the culprit is a piece of malware:
Please note that this fraudulent activity may be the result of a computer virus and is not a part of the American Express website. If you received this pop-up box, your computer may have this virus.
In recent years, malware distributors have been mostly interested in setting up bot networks for relaying spam and hosting phishing messages. Some trojans with keylogging capabilities, like those in the PWSteal family, attempt to spot web-based forms where you enter credit card or banking information and scrape their contents to send to an outside source. Attackers running phishing scams have mostly worked via e-mail, and the tools for detecting and blocking phishing attacks are getting better. So this represents a significant escalation. When you see a pop-up dialog box while logged onto a secure site run by a reputable financial institution, you might be fooled.
I haven’t seen this documented elsewhere, and a search at some leading AV sites turns up nothing. If American Express is alarmed enough to put out a public warning, it must have hit a significant number of their clients. Anyone have any further information on what this thing could be?
Ed Bott 
Ed, I have seen reports of this but not experienced it myself. I believe it’s happened with other banking sites as well.
Trojans are being spammed in email links or as attachments. If the user clicks on the link or opens the attachment, the trojan installs software that monitors keystrokes for certain words. When a URL is entered, or appears in the address bar, the password stealing trojan causes the pop-up that imitates the banking site and obscures or replaces the web page. When the user enters their login information, the trojan logs it and may write it to a remote server or email the information to a pre-designated email address coded into the trojan.
I’ll look for the examples I’ve seen and post a link or more info when I find it.
Well Ed, I’ve been online since 1997 and all I can say is that the net crime is starting to show signs of maturity.
It is now more organised and more focused. Comparing the 90’s scams to the current ones is like comparing WW2 bombers to the last state of the art secret pentagon stealth bomber…
In terms of functionality, this is very similar to popping up an ad when you go to a certain website. I don’t mean to underestimate the seriousness of the problem, but I almost expect things like this. Now back to that discussion we were having about the merits of Internet Explorer…
To clarify the above, popping up ads is basic spyware functionality, and enormous numbers of people are using the Internet with compromised machines. I expect we’ll see a lot more of this before things get better.
The functionality is a lot more complex that a typical pop-up ad. The trojan has a key logging component that captures the text entered on the fake form. The trojan also likely has a built in SMTP engine that emails the data, or it may have a script built in to write the data to a text log on a remote server.
This is a good description of the functionality, except this example does not include the pop-up.
http://vil.nai.com/vil/content/v_100977.htm
Click on characteristics.