Fraudsters are deploying a new malicious software attack that steals card data from consumers by making them believe they are providing extra authentication when shopping online, Trusteer reports.

The Boston-based data security provider says a new universal man-in-the-browser scam features fake pop-up boxes on legitimate websites that request MasterCard SecureCode or Verified by Visa passwords.

"The big issue here is the consumer and merchant or bank not knowing they are under attack because this is supposed to be a secure feature," says Etay Maor, senior product manager of Trusteer.

The MasterCard Secure Code and Verified by Visa systems add security by requiring a special password for online purchases. This is provided in addition to typical card-account details.

This particular man-in-the-browser attack is difficult to detect because it does not operate with a "trigger list" for attacks only on certain websites or banks, Maor says.

"It is simply waiting until someone is entering a credit card number on a form, and it doesn't care about anything else, making it widespread and targeting everyone," Maor says.

MasterCard has seen malware attempts similar to this new method in the past, says James Issokson, MasterCard's senior business leader for reputation and issues management. "If it mimics the MasterCard SecureCode, even in isolated instances, we have to keep our issuers and merchants educated to be on the look-out for it," Issokson says.

MasterCard continuously monitors the Web to stay abreast of malware occurrences, he adds.

This malware could be particularly damaging because consumers are getting accustomed to security methods such as 3-D Secure, the technology behind MasterCard SecureCode and Verified by Visa, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.

"In countries outside of the U.S., like Brazil and India, they are mandated to use 3-D Secure," Conroy says. "So, this malware could have a wider audience."

Consumers can never be quite certain which security boxes are legitimate because so many different security measures employ different authorization methods, Conroy says.

"There is nothing universal, so the consumer doesn't know if something doesn't seem right," she adds. "It's no wonder they are prepared to just hand over the keys to the kingdom."

Every security layer that a merchant or bank uses is important, Maor says. "I would never say not to use an anti-virus screening method on your computer, but it likely can't cope with sophisticated malware like this," he adds.

Trusteer seeks to establish methods to avoid malware attacks, and to block their attempts to steal data once they have infected a site, Maor says. Trusteer serves more than 300 clients and protects more than 100 million endpoints.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry