The NY Times hits on a new weapon for the black hats: keyloggers that report back in realtime.|
That gives them the ability to steal "expiring" passwords and compromise open sessions:
By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA?s SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. Ouch. Again, practice safe computing and be extra careful.
If you computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can?t see.