The attack has two components, first the user’s PC is infected with the ZeuS malware which adds a legitimate looking field to ING’s web page. This extra field asks the user for their phone number. Once entered the user receives a fake SMS from the bank with a link to the mobile part of the attack. Once installed the mobile malware forwards the real authentication messages from the bank (used during login) to another phone.
Now armed with the user name and password (from the infected PC) and the authentication code SMS from the infected phone, the attacker can login to the victims online banking service.
This isn’t the first time this type of attack has been launched against online banking systems which use SMS messages for authentication. A similar ZeuS Man-in-the-mobile attack was reported in Spain last year.
Apple is often criticized for the amount of control it has over its app store, but this is one example of how being able to freely install apps from anywhere can lead to disastrous consequences.