When a victim logs into the Barclays site, the malware begins logging keystrokes, but also creates “screen shots” – images of the page displayed on the monitor – that show the drop-down menus. The images are saved as bitmap (.bmp) files and then e-mailed to the scammers along with keylogger data. An indicator of the new trojan’s sophistication is that it appears to adjust its screen shots for different screen width settings.
“Each time we tested this it work perfectly. The trojan would always grab the exact spot it needed,” Codefish Spamwatch noted in its commentary. “This is a huge step in the phisher trojan evolution. Until now most people assumed visual selection systems like the one Barclays had put in place were safe from keyloggers. This is no longer the case. This well designed trojan should make anyone who has complete faith in visual selection systems a little bit worried.”