This "full page replacement" feature is present in Tinba version 2, which Trusteer researchers have recently discovered and analyzed. The malware comes with support for Google Chrome and attempts to limit its network traffic by storing images loaded on the fake page locally.
According to the Trusteer researchers, Tinba v2 is already used in attacks targeting major financial institutions and consumer Web services.
"Banks have always faced two attack vectors in the online channel," Klein said. "The first is credentials theft. There are various ways to execute this type of attack including malware, pharming and phishing. The second attack vector is session hijacking which is achieved through malware. These two vectors require two different solutions."
Banks should make sure that they have protection in place against both attack types, otherwise cybercriminals will quickly adapt their techniques, Klein said. "You can't put a lock on your door and leave the window open."