Considering nearly 2 billion people actively use Facebook each month, there’s a great chance that you’re one of them. Which means you are a target for cybercriminals.

That’s because they constantly scour heavily populated sites, looking for new victims.

You might see where I’m headed here. Yep, there is a new scam making the rounds on Facebook and it’s extremely sneaky.

Have you ever seen a Facebook post offering you the chance to see who has been viewing your profile? Other posts might claim to show when someone “unfriends” you.

Some of these posts are more diabolical in nature. One example gives users the chance to steal passwords of other Facebook users. Although it’s immoral, this software might be enticing to someone wanting to check up on an ex-boyfriend or ex-girlfriend.

Beyond the moral implications, downloading these types of software is a terrible idea. Most are full of malicious code that will infect your gadget with malware or, ironically, steal YOUR credentials.

Researchers with LMNTRIX Labs recently discovered Facebook stealing password software that infects a user’s gadget with a remote access trojan (RAT). It’s been dubbed “Instant Karma.”

The research team told Techcrunch, “This appears very widespread and growing. We classified this as an ongoing malicious campaign with the threat actors actively marketing it as ‘Facebook Password Stealer’ or, more innocuously, ‘Facebook Password Recovery.’

“The attackers also seem to be sophisticated marketers who understand there is potentially big demand for the purported service and are distributing the sample via spam, ad campaigns, pop-ups, bundled software, porn sites and also some times as standalone software.”

After users download the software and run it, they are asked to enter their own login information. Then they must enter the URL of the users’ account they want to break into.

Finally, they click a button labeled, “Hack.” Clicking that link is when RAT is installed on the users’ gadgets. The following is an example of what it looks like: