I am not sure the details on how to do it. But i have seen some domain (DNS) hijack incident that victim's yahoo.com actually pointing a different site and everything he enter there is being log down and re-transmited to the real yahoo.com. And the real respond from yahoo.com forwarded back to victims workstation. Hence all the login account, password (in clear text) is being capture.

It could have come from a trojan itself.

(Just my two cents worth, correct me if i am wrong)