Facebook has taken the unusual step of warning users about a bogus password reset scam designed to trick victims into downloading a password-stealing Trojan.

Prospective marks are falsely told in widely distributed spam emails that their password has been changed because of a supposed security incident. Targets are invited to open an email attachment for more information. This email attachment, you'll be unsurprised to learn, contains keystroke snaffling malware. Once bitten, every password a user enters onto an infected PC becomes compromised.

Facebook points out that it would never send users a new password in an email attachment.

McAfee, which was first to warn about the threat, has a copy of the scam emails and even a map showing the distribution of the attacks in a alert here. The web security firm reports that the scam is the sixth most prevalent piece of malware targeting consumers. ®

Related stories

• Friendster password emails spark site hack fears (2 June 2011)
• Dodgy Facebook pages used to power 'spam a friend' joke scam (10 May 2010)
• Workers scared to befriend bosses on Facebook (23 April 2010)
• Popular Facebook game caught serving malvertisements (12 April 2010)
• Nicole Richie turns Twitter hacker on celeb chums (6 April 2010)
• Weak passwords stored in browsers make hackers happy (30 March 2010)
• A quarter of underage children have social networking profiles (29 March 2010)
• Facebook users warned over stalk-my-profile scam (15 March 2010)
• Koobface gang refresh botnet to beat takedown (11 March 2010)
• Password reset questions dead easy to guess (11 March 2010)
• Twitter hits fan as scams smite banks, cabinet ministers (26 February 2010)
• Twitter phish pwned profiles push penis pills (22 February 2010)
• 1 in 3 users reviewed Facebook privacy roll-back (1 February 2010)