As reported previously by Infosecurity, SpyEye is now effectively a sister malware to Zeus, the development teams having been merged late last year.
According to Amit Klein, Trusteer's chief technology officer, the targeted attacks on online merchants also expose some shortcomings in the firm's PCI DSS best practice implementations.
Under the PCI DSS rules, in order for an online business to accept payment cards it must prove that it has adhered to the rules, and in some cases, undergo an external verification process.
The SpyEye-driven attack on Verizon's website took place, says Klein, between the 7th and 13th of May, centering on the use of injected HTML code that was used to capture payment card related data.
"The attack is invisible to Verizon customers since the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica webpage that requests this information", he said in his security blog.
"Since the user has logged on and has navigated to the familiar billing page they have no reason to suspect this request for payment information is suspicious", he added.
Whilst this modus operandi is not technically new, Trusteer's CTO say that it is a continuation of a financial malware trend that his research team have been tracking for several weeks.
This involves, he says, a shift away from stealing usernames and passwords to stealing payment card data and allows criminals to commit cardholder-not-present fraud on the internet.
In addition, he notes, it also makes it more difficult for banks to identify the source of fraudulent transactions since they cannot trace it back to a specific computer.
"Whether it's on consumer machines, call centre computers, or point-of-sale systems, attackers are targeting endpoints to steal readily available payment card data", he said.
"This trend is exposing a major shortcoming in the Payment Card Industry Data Security Standard, which only requires endpoints to be running anti-virus software. As we have seen, anti-virus software is unable to effectively defend against zero day attacks", he added.
Klein went on to say that there is no easy solution to this problem, as most endpoints used to enter payment and credit card data are outside the control of the merchants who process the transactions.
One model worth considering, he says, is the path taken by the growing legion of banks that are supplementing backend risk and fraud management systems with end-user education and browser-based security tools.
* Update: Verizon responded to this story by stressing that: "Verizon sites were infected, hacked or otherwise compromised. No Verizon store or repository of Verizon consumer information has been compromised in any way."
"The company has for years offered an internet security bundle to help keep our customers protected."