How do they know when the user has gone to a site?
As said, banking trojans filter out useless data – or more precisely, they only capture interesting data from banking activity. This means that the trojan has to know when the user is banking online. It is very common for the trojan only to monitor what the web browser is doing and where it is going. Banking trojans today use the following means of determining where the user is surfing:

• Hooking (e.g. inline hooks on WinInet API functions)
• BHO (Browser Helper Object) interface [4]
• Window title enumeration (e.g. FindWindow() [5])
• DDE [6]
• Other COM (Component Object Model) / OLE (Object Linking and Embedding) interfaces
• Firefox browser extensions
• LSP (Layered Service Provider) interface [7]

As a fairly conventional example, Banker.ark [8] steals logon credentials related to some Brazilian banks by logging keystrokes when the internet browser title bar contains a string that is on its filter list.