A good write-up and video of malware designed to capture information from users using virtual keyboards.
It's just another indication that banks and other E-Commerce sites will need to come up with something more robust if they really want to make phishing impractical for attackers...
Personally I'd be interested to try a combination of RSA SecureID and Intrusion detection/prevention.
It works like this. the SecureID forces an attacker to do an in-line attack 'cause they've only got a less than 60 second window to use the credentials successfully, and this should increase the visibility of the traffic patterns. For example if you've got 10 users who've always come from different UK based IP addresses in the past, and suddenly they're all coming from the same non-UK based ip address, then that could be a good time to block the session.
It would be difficult to tune, but I think once you'd baselined users it would be possible to build up a reasonable enough pattern to allow for some form of anomoly detection.