This complex phishing scheme which takes advantage of Google's trusted brand, borrows exploits of an application commonly referred to as "CoolWebSearch", although it is still unclear on who is responsible for the scheme.

FaceTime researchers warned of two URL links to be involved with a browser hijacker currently in circulation. These links lead users to a Web page which begins the install and calls a Windows Help File. Once this happens, the full install is launched and the HOSTS file hijack is inserted, the fake Google toolbar appears upon reboot and the anti-spyware program known as "World Antispy" launches. The fake toolbar performs a browser redirect on most Google domains. Users may also experience a pop-up window which asks for credit card information. Through systematic research, FaceTime Security Labs have found that there are three distinct versions of this attack, each one exploiting different security vulnerabilities and installing a different payload using different vectors, including IM and IRC.

"Hackers are clearly using new vectors such as IM to take advantage of reputable, trusted brands such as Google," said Chris Boyd, Senior Researcher at FaceTime Security Labs. "Our research finds that this phishing scam is financially motivated by a third party using incredibly elaborate bundles that deliver a rogue Google toolbar with many of the same elements as the real Google toolbar."