A malicious Facebook e-mail password reset scam is making its way around the social networking giant's 400 million global users, experts said Thursday.

During the attack, detected by researchers at McAfee Labs, users are presented a fake, but legitimate looking, e-mail alert warning them that their password needs to be reset. The e-mail comes with an attachment, which users are prompted to open in order to receive their newly reset password.

Upon downloading the attachment, the user becomes infected with a variety of malware, including password-stealing Trojans and fake antivirus designed to steal login credentials and other personally identifying data.

Meanwhile, McAfee researchers have seen a big spike in detections within the past 48 hours.

Dave Marcus, security research and communications manager for McAfee Labs, said that users should be clued in to the scam when it promises to provide an unsolicited Facebook password reset.

"Companies don't send you unsolicited passwords," he said. "Users have to look at their inboxes with a bit of skepticism. The volume of spam and scams is monstrously high. Most of the e-mails in your inbox are either a scam or a phish."

Full story: CRN