The attack, which McAfee highlighted in its consumer threat alert on Wednesday, uses a classic email spoofing technique, in which scammers send email purporting to be from Facebook. However, whereas conventional phishing attacks simply invite users to visit a fake website to 'confirm' their login credentials, this mail is designed to infect a computer and harvest more than just the account information for a single social networking service. It tells a Facebook user that their password has been reset, and that they should click on an attachment to receive it.
"Once installed, the password stealer can potentially access any username and password combination utilized on that computer, not just for the user's Facebook account," said McAfee in a statement.
"Facebook would never send an email alerting a user that they changed his or her password," McAfee continued. "Another clue that can signal a user has received a spam email is the use of poor grammar and awkward phrases."
The attack could potentially harvest everything from passwords for other social networks through to online banking credentials, making it particularly insidious for Facebook's base of over 400 million users.
In a global map of targets showing where the scam was targeting Facebook users, North America, Europe, Australia, New Zealand and parts of southeast Asia were particularly heavily hit. Russia seemed to escape relatively unscathed.
McAfee said that its own customers were protected against the scam.
Facebook warned about the email scam briefly on its security blog this week, reiterating that it would never make such requests via email.