The in-session attack dupes online banking customers into surrendering their personal data by claiming new FDIC rules require mandatory sign-up to the card protection programme. The injected enrollment screen prompts users to enter their social security number, credit or debit card number, expiration date, and PIN or CSV code.

The information gathered by Zeus is used by fraudsters to commit 'card not present' transactions with retailers that employ VbV and SecureCode protection, says Trusteer.

Zeus has been implicated in a wave of successful online banking assaults on US small businesses and a $6 million commercial account heist on 20 European banks in the summer of 2008. Trusteer reckons that one in every 100 computers may be infected with the trojan, which has been progressively engineered to circumvent common anti-virus programs.