Phishing is where emails, instant messages or websites pretend to be legitimate companies for the purpose of stealing personal information, financial account numbers and passwords.
The scam spreads itself via IM and Internet Relay Chat and downloads a fake Google toolbar and adware on users’ machines, which re-direct to a page collecting credit card information.
According to security firm FaceTime, the scam borrows the exploits of an application commonly referred to as "CoolWebSearch" and uses two URLs via IM that lead users to a web page that begins the toolbar install and calls a Windows Help File. Once this happens, the fake Google toolbar appears and the anti-spyware program known as "World Antispy" launches. At this point, users may also experience a pop-up window that asks for personal information.
So far, Yahoo Messenger is the only IM service being used in this attack.
"Our research finds that this phishing scam is financially motivated by a third party using incredibly elaborate bundles that deliver a rogue Google toolbar with many of the same elements as the real Google toolbar,” Chris Boyd, senior researcher at FaceTime, said. "Hackers are clearly using new tricks such as IM to take advantage of reputable, trusted brands such as Google.”
FaceTime is reporting that there are three distinct versions of this attack, each one exploiting different security vulnerabilities and installing a different payload using different vectors, including IM and IRC.
The new scam marks an increasing trend in using IM as a phishing tool, Boyd said.
According to security firm IMlogic, phishing attacks that use IM as their vehicle have jumped by 14 times since the first of the year, and by the third quarter, IMlogic tracked 10 times the number of IM threats than in all of 2004.