Experts say a malicious Facebook e-mail password reset scam is making its way around the social networking giant’s 400 million global users. During the assault, detected by researchers at McAfee Labs, users are offered a fake, but legitimate looking, e-mail alert warning them that their password needs to be reset. The e-mail comes with an attachment, which users are encouraged to open in order to receive their newly reset password.

Once the attachment has been opened, the user becomes infected with a range of malware, including password-stealing Trojans and fake antivirus designed to steal login credentials and other personally identifying data. Dave Marcus, security research and communications manager for McAfee Labs, said that users should be suspicious that it’s a scam when it promises to provide an unsolicited Facebook password reset.

McAfee’s Global Virus Maps’ Top 10, which tracks consumer threats worldwide ranks this latest Facebook password attack at No. 6. And thus far, the attack is responsible for as much as 10 percent of the infected e-mail viewed over McAfee’s managed e-mail SaaS unit. Researchers speculate that the spam e-mail could be associated with the notorious Cutwail or Rustock botnets, but further analysis is still required.

Marcus said that this recent Facebook attack is indicative of growing spam and malware threats circulating on Facebook and other social networking sites, indicated in McAfee’s 2010 Threat Predictions.

“Social networks are going to be one of the biggest lures and biggest targets going forward,” Marcus said. “Facebook has 400 million users. It’s a target-rich environment.”