3-DSecure - branded as Verified by Visa and MasterCard SecureCode - is widely used as a means of authenticating online purchases using a pre-determined passphrase known only to the cardholder.
As users move to the transaction page with an online merchant, the merchant's payment provider opens an extensible code window to the card issuer's systems to request the 3-DSecure passphrase from the cardholder.
To use the service, online card users are asked to enroll in the programme, typically when they have made three online purchases with their new card.
And a fake version of this enrolment window is what the malware - actually a variant of the Zeus family - generates to the user, illegally requesting their credentials.
According to Trusteer, the secure browsing specialist, after users have initiated a secure online banking session, the Zeus Trojan injects a fake enrolment screen into the browser, illegally requesting credentials from the user.
The information gathered by Zeus is then used by fraudsters to commit `card not present' transactions with retailers that employ Verified by Visa and SecureCode protection.
This stolen data, says Trusteer, allows criminals to impersonate their victims and register with these programs to ensure fraudulent transactions escape normal fraud detection systems.
Amit Klein, the firm's CTO and head of research, said that this attack uses the familiar Visa and MasterCard online fraud prevention programs to make the request appear legitimate.
"Fortunately, online banking customers protected by Trusteer Rapport are not vulnerable to this attack since it blocks HTML injection and prevents Zeus from presenting the fraudulent enrolment request", he said.
The Rapport web browser plug-in, Infosecurity notes, is available as a free download for e-banking customers of several UK banks, notably HSBC, NatWest, RBS and Santander.