As of last night, more than 750 000 users of Facebook received a fake password reset message and it is showing no signs of abating, Cloudmark, the IT security software and service specialist, said.
According to Cloudmark, the bot-based attack targets Facebook users with a spoofed message that claims recipients' passwords have been reset as a security measure.
The messages, which have subject lines such as `Facebook Password Reset Confirmation', include a file attachment that supposedly contains the new password.
In fact, said Cloudmark, the attached zip file includes a trojan downloader, dubbed Bredlab or Bredolab by several anti-virus and malware vendors.
Once triggered, the downloader streams a range of malware from a number of hacker servers, including fake security software aka scamware - installing attack code and rogue antiv-irus applications on the compromised PCs.
Facebook has said it cannot do much about the scams, because they are generated from outside companies and sent directly to users' email accounts.
The social networking portal advises its users to check the security warnings on its website and advises members not to respond to external emails unless they refer directly to a Facebook URL.