Millions of spam e-mail messages were sent to Facebook users around the world last week in a scam that could infect computers with software that steals passwords and other data.
The e-mail's subject line says "Facebook password reset confirmation customer support.” The messages look like they came from Facebook, but they contains an attachment that users are instructed to download to find a new password that was allegedly reset.
Facebook Security , in a message to users, said it would not send messages with attachments.
“There's another spoofed e-mail going around that claims to be from Facebook and asks you to open an attachment to receive a new password. This e-mail is fake. Delete it from your inbox, and warn your friends,” the site stated.
Dave Marcus, McAfee's director of security research and communication, told PC World magazine that the attachment is a Trojan horse program containing a malware, including password stealers, rogue antivirus programs, or botnet code. The password stealer can potentially access any username and password combination used on the computer, not just for the Facebook account.
"As we had previously discussed in our 2010 Threat Predictions, social-networking sites will continue to be a favorite social-engineering lure for cybercriminals to distribute malware," he told CIO Today. "Make sure you are protected and educated."
Facebook has more than 400 million users. McAfee, in a “Consumer Threat Alert” blog post on its site said, "This is also the sixth most prevalent piece of malware targeting consumers in the last 24 hours, as tracked by McAfee Labs."
To avoid problems, experts advise users to delete the Facebook scam e-mail. In addition, they say to install security software, make sure it’s the most up-to-date version, and keep the subscription active. Also, watch for poor grammar and awkward phrasing – it’s a tipoff of a scam.