New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim's dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim's machine that alters html coding before it's displayed in the user's browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud, though won't work if a victim uses an uninfected machine to check his or her bank balance.

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.

"The Trojan is hooked into your browser and dynamically modifies the text in the html," Ben-Itzhak says. "It's a very sophisticated technique."

The information appears in a cybercrime intelligence report (.pdf) written by Finjan's Malicious Code Research Center.

The victims' computers are infected with the Trojan, known as URLZone, after visiting compromised legitimate web sites or rogue sites set up by the hackers.

Once a victim is infected, the malware grabs the consumer's log in credentials to their bank account, then contacts a control center hosted on a machine in Ukraine for further instructions. The control center tells the Trojan how much money to wire transfer, and where to send it. To avoid tripping a bank's automated anti-fraud detectors, the malware will withdraw random amounts, and check to make sure the withdrawal doesn't exceed the victim's balance.

The money gets transferred to the legitimate accounts of unsuspecting money mules who've been recruited online for work-at-home gigs, never suspecting that the money they're allowing to flow through their account is being laundered. The mule transfers the money to the crook's chosen account. The cyber gang Finjan tracked used each mule only twice, to avoid fraud pattern detection.

"They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there," says Ben-Itzhak. "If you don't know it, you won't report it to the bank so they have more time to cash out."

The researchers were able to capture screen shots showing the rogue bank statements in action, disguising, for example, a transfer of Euro 8,576.31 as Euro 53,94.

The researchers also found statistics in the command tool showing that out of 90,000 visitors to the gang's rogue and compromised websites, 6,400 were infected with the URLZone trojan. Most of the attacks Finjan observed affected people using Internet Explorer browsers, but Ben-Itzhak says other browsers are vulnerable too.

Finjan provided law enforcement officials with details about the gang's activities and says the hosting company for the Ukraine server has since suspended the domain for the command and control center. But Finjan estimates that a gang using the scheme unimpeded could rake in about $7.3 million annually.

"The example we found relates to German banks," Ben-Itzhak says. "But we believe this will increase to other countries."