Crooks use to try to steer PC users to bank-lookalike Web sites to steal user names and passwords. Today, many criminals instead steal the credentials as users access genuine banking sites. To do that, hackers use key-logging malware in infected PCs. Such software records the keystrokes on a login page and sends the sequence to the fraudster's server. To defend against such malware, companies have introduced two-factor authentication using one-time passwords sent through a token device. Creative crooks have bypassed the added security through malware that collects login credentials, sends them in real time to a command and control server, and blocks the user for several minutes in order to give the fraudster time to access the site.