35 phishing sites were set up in the time of a few weeks targeting users of online banking services, revealed Rich Miller, an analyst with Internet research company Netcraft Ltd. Some US banks have implemented what is known as token-based authentication security system to comply with federal regulations that ask for multiple authentications for all online transactions. Through token devices, banking customers are emitted a secondary, temporary password that can used only once and that comes with a short life period.

Circumventing the token security measures is a man-in-the-middle technique. And such attacks are on the rise as proven by the 35 phishing sites posted to harvest temporary passwords that will ultimately lead to the access of the banking accounts from financial institutions such as Citigroup Inc.

"These attacks are worrisome because they took advantage, fairly early on, of a system that's seen as enhancing security for banking customers," Miller said. This is getting organized. It is not just an isolated incident of somebody coming up with a proof of concept or an exploit that's unique to them."

When a user is tricked in divulging his bank account confidential information on a phishing site, the data is instantaneously forwarded to the bank and the account is accessed. In most cases the actual bank customers have no time to react, they become instantaneous victims.