An email scam is targeting AOL customers in an attempt to steal personal details, according to web monitoring company Websense.

Users receive a spoofed email purporting to come from the security department at AOL claiming that the company suffered a security breach over the weekend and that confidential information may have been compromised.

The email also requests users to connect to a website to download and install a new 'security patch', which will 'protect their information'. The spoofed message reads:

'Failure to download this security patch in the next 48 hours will result in the temporary suspension of your America Online account. At this point we will send you a Security Patch CD in the mail. Upon installing it, your account will be reactivated.'

When users click on the link, they are redirected to a website hosted in Scotland which downloads a piece of malicious code, named patch.scr, written in Visual Basic and using Yoda Crypt.

When the file is run, a wizard opens to guide users through the disclosure of their confidential account and billing information, including their account limit. Once this information is obtained, it is sent in a text file via FTP to an account at a hosting facility.

Ross Paul, product marketing manager at Websense, said: "This is a blended threat that we haven't seen before. It combines the threat of a security breach with a link to a download that masquerades as a patch but in fact requests sensitive user information.

"The kind of questions it asks should alert you to the fraud because your provider already has those details."