SecureWorks says in June 2006 to December of 2006, it blocked attacks from approximately 808 hackers per bank per month, but since the beginning of 2007 up until June, the average number of hackers launching attacks at each bank has risen to 1462.

The vendor says it also recorded a 62% increase in the number of attacks targeted at its credit union clients. In the second half of 2006 SecureWorks blocked attacks from 1110 hackers per credit union per month. That number rose to 1799 hackers per credit union per month in the first half of this year.

Don Jackson, security researcher for SecureWorks, says: "The amount of stolen financial data we have found since the first of the year has been daunting."

"With the Gozi, Prg and BBB trojans alone, we found millions of dollars of data sitting in their stolen repositories," adds Jackson. "These data caches contained thousands of bank account and credit card numbers, social security numbers, online payment accounts and user names and passwords, and we are finding new caches of stolen data everyday."

SecureWorks says most of the hackers it sees stealing financial data are located in Russia and Eastern Europe, but there is also a growing number of hackers operating out of China.

Earlier this week California-based e-security firm Finjan warned that new crimeware is being used to steal banking customer data from infected PCs.

The MPack toolkit, which is used to infect PCs with malware designed to steal personal and financial data, is more dangerous than phishing attacks, says Finjan.

Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection, and users whose PCs were infected by this crimeware will not notice any change to their normal online browsing experience.

During July 2007, the vendor identified 58 criminals using the MPack toolkit to successfully infected over 500,000 unique users.

Yuval Ben-Itzhak, CTO of Finjan, says because this attack happens on the customers' own PC and is encrypted, it makes it extremely difficult to detect.

"After the customer fills in the login form on their Web site and clicks on the log in button, the crimeware, running on the infected user machine, intercepts the communication," explains Ben-Itzhak. "The crimeware sends the intercepted UserID and password to the criminal's server, instead of sending to bank's server. The customer thinks they are still on the bank's web site but they are actually sending data to the criminal's server over an encrypted connection."

Ben-Itzhak says even though the Web page has the look and feel of a normal bank page, it is actually reconstructed in real-time by the crimeware and is displayed over a pre-established SSL connection.

The same technique is used when browsing to other online financial service providers and for each company the crimeware will send a customised set of crafted forms and pages, designed to harvest the data needed to log into that particular service.

Ben-Itzhak warns that the crimeware is being spread by legitimate Web sites that have been infected by toolkits that have embedded an iframe placed on the main page of the referring site, which points to the malicious code. Once the main page is loaded by the user's browser the embedded malicious code is loaded as well.