"There's another spoofed email going around that claims to be from Facebook and asks you to open an attachment to receive a new password," read a post on the Facebook Security page. "This email is fake. Delete it from your inbox, and warn your friends."
Facebook will never send users a new password in an attachment, the post says.
The messages claim to be from Facebook, with a return address that looks legitimate. A message sent twice to a CNN.com staffer reads:
Hey [user's name],McAfee security warned users in a blog post Wednesday that the link is a password stealer that becomes active when the user clicks on it. Once installed, malicious software, or malware, could potentially access all username and password information used on a computer, not just on Facebook, the post said.
Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.
Thanks,
The Facebook Team.
Reports suggest the scheme continued to spread on Friday.
McAfee and Facebook urged users to not open the attachment and immediately delete the message, if up-to-date security software programs don't catch the message first.
source : http://scitech.blogs.cnn.com/2010/03/19/facebook-responds-to-massive-phishing-scheme/