Facebook, one of the most popular ways to connect with people, is fast becoming a haven for spammers. In March, nearly 400 million Facebook users were reported to have received malicious spam messages which, once clicked, were automatically passed on through friends lists.

The messages appear to come from Facebook, with a return address that looks legitimate but has been spoofed, such as help@facebook.com. The messages contain malicious software designed to steal passwords and other data, according to security researchers at McAfee. The messages say that the user’s Facebook password has been reset and the user should download an attachment that contains the new password. The English-language messages are grammatically correct, but contain an odd sign-off: ‘Thanks, Your Facebook’.

The spam is believed to have been sent from botnets called Cutwail and Rustock. Botnets are groups of computers controlled by hackers and often used for malicious activity such as sending spam or conducting denial-of-service attacks against websites.

On its site, Facebook warns users not to respond to these emails, adding, ‘Facebook will never request your password and we do not advise giving your login information to anyone under any circumstances.’  Facebook also has a link advising users on how to keep their account more secure, such as never opening suspicious mails, having a strong password and running anti-virus software.