My Koobface / Facebook Roadblock experience

I figured I’d write up my experience with the Facebook Roadblock, as it might come in useful for other people who get locked out.

Last night I noticed Adium started spinning away on my dock, unable to connect to one of its configured networks, which turned out to be Facebook. A few minutes later I closed whatever browser tab I had open, and noticed that Facebook tab I had open behind it was showing the “Please login to continue” dialog over my previous session. Clicking the login button took me to something I’d not seen before, the Facebook Roadblock:

The Facebook Roadblock
The Facebook Roadblock

A few minutes of checking the SSL certs, retyping bookmarks, checking for DNS spoofing, and even trying from my iPhone over the 3G data network (which still didn’t work, it instantly logged me out once it loaded and didn’t let me back in), I received an email claiming to be from Facebook. And the headers seemed valid too:

Return-Path: <notification+z4o6=[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
  server01.filesanctuary.net
X-Spam-Level:
X-Spam-Status: No, score=-99.0 required=5.0 tests=AWL,BAYES_50,
  DNS_FROM_OPENWHOIS,RCVD_IN_DNSWL_LOW,SPF_PASS,USER_IN_WHITELIST autolearn=no
  version=3.2.4
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from mx-out.facebook.com (outmail013.snc4.facebook.com [66.220.144.145])
  by server01.filesanctuary.net (Postfix) with ESMTP id CF77B315237
  for <[email protected]>; Thu, 28 Oct 2010 19:04:33 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha1; d=facebookmail.com; s=201006181024; c=relaxed/relaxed;
  q=dns/txt; i=@facebookmail.com; t=1288289073;
  h=From:Subject:Date:To:MIME-Version:Content-Type;
  bh=qEIXppA9YVJnzP16lPu8knjBLI4=;
  b=R8irJgwrt6XVn16hAvSUFeIlM++vWMcDyAYhNXrhKnQ6ItFMnyMlWp5Mpop9/8qW
  RBXeIrBlbl9R+MhQ7tTzmYKGcHpDpA4sMc27xKmYwDphIdANX0rgfCfxLzsRwYvJ
  wu+CZxtaBphfkFdMo0RZabSpGN4v5Q0WCW12jqDxKBM=;
Received: from [10.30.185.191] ([10.30.185.191:35133])
  by mta018.snc4.facebook.com (envelope-from <notification+z4o6=[email protected]>)
  (ecelerity 2.2.2.45 r(34222M)) with ECSTREAM
  id F6/5B-27367-13BB9CC4; Thu, 28 Oct 2010 11:04:33 -0700
X-Facebook: from zuckmail ([MTI3LjAuMC4x])
  by localhost.localdomain with local (ZuckMail);
Date: Thu, 28 Oct 2010 11:04:33 -0700
To: "Aaron B. Russell" <[email protected]>
From: Facebook <notification+z4o6=[email protected]>
Reply-to: Facebook <notification+z4o6=[email protected]>
Subject: Security Warning From Facebook
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
X-Facebook-Notify: roadblock; mailid=333b85fG1e289220G6f8ad57G7b
Errors-To: notification+z4o6=[email protected]
X-FACEBOOK-PRIORITY: 0
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

Dear Aaron B. Russell,

We have detected that your Facebook account is infected with a form of
malware, or virus, called Koobface. You downloaded the virus after
receiving a message from a friend, which invited you to view a video.

To restore your account, please log in to Facebook and follow the
instructions you see there. You can also learn more in our Help Centre at:

http://www.facebook.com/help/?topic=koobface

Thanks,
Facebook Security Team

Hmm. So I really was locked out. But was I really infected? As I use a Mac, I wondered if I’d been hit by the (supposedly harmless) OSX/Koobface.A virus (Intego Security Memo). But if that was the case, why didn’t VirusBarrier X6 tell me about it? And why didn’t I get the Java applet warning? My mind wandered back a couple of days and I remembered I’d logged in on my Windows 7-based HTPC recently too, so there was a slim chance that I got infected that way.

So off I went to set some scans running. Kaspersky Internet Security finished on the HTPC first due to it’s relatively small HD, but that was clean, which only left my MacBook Pro as a potential candidate for infection. After discovering just how long it takes to scan a 500gb hard disk (more than 8 hours)… VirusBarrier told me that it didn’t find anything on my laptop either.

VirusBarrier says "no virus detected"
VirusBarrier says "no virus detected"

Both Kaspersky Internet Security and VirusBarrier X6 claim to be able to deal with various versions Koobface worm/trojan hybrid, but neither of them picked anything up despite having the latest virus definition updates, so my systems seem to be clean. Having checked my systems meant that I was now “allowed” through the Roadblock (Facebook requires you to certify that you’ve checked your system — that said, it’s only a checkbox to tick and you could easily lie, but if you receive genuine reports that your computer appears to be compromised, it’s better not to chance it), and I went through this sequence of steps…

Facebook give you a few options to prove your identity
Facebook give you a few options to prove your identity
I opted for SMS message verification
I opted for SMS message verification
Facebook then try to educate you about what happened...
Facebook then try to educate you about what happened...
... which is a really good idea (despite showing me Windows screenshots when I'm on a Mac)
... which is a really good idea (though they should detect I'm on a Mac)
... and then they forced me to reset my password (also good!)
... and then they forced me to reset my password (also good!)

And then after a confirmation screen, my account was restored.

So… what the hell happened? Well, from what I can tell my machines are not infected, so either my account was compromised, or it was a false alarm (possibly due to Adium’s frequent reconnects to Facebook Chat, because it drops the connection often). Either way, I think Facebook handled this very well from a security point of view. They also offered me a (Windows-only) 6 month free subscription to McAfee VirusScan Plus on the final confirmation screen, but I skipped that as I’m on a Mac and already use Intego VirusBarrier X6, but it’s good to be offering protection to people who might not be protected.

I’m interested to hear if anyone else has gone through this (especially Mac users), so if you have a similar story to share, please drop me a comment.

11 thoughts on “My Koobface / Facebook Roadblock experience

  1. I had the same thing, probably getting on for a year ago now. I’m not on a Mac (Windoze) but, yeah, same thing. Ran virus scans and they found nothing.

  2. Received email this am,

    “Dear Beverley Gill,

    We have detected that your Facebook account is infected with a form of malware, or virus, called Koobface. You downloaded the virus after receiving a message from a friend, which invited you to view a video.

    To restore your account, please log in to Facebook and follow the instructions you see there. You can also learn more in our Help Centre at:
    http://www.facebook.com/help/?topic=koobface

    Thanks,
    Facebook Security Team”

    Thinking same was legitimate, clicked on link provided and WHAM! I am now locked out.

    Just about to attempt instructions above … please wish me luck!

    Thank you for letting people know about this.

    B

  3. Hi I have just read your piece above, currently I am in facebook roadblock and I cannot get passed the password reset. It keeps asking me to reset my password. What can I do, any help would be appreciated. Thanks Paul

  4. Paul – just to let you know I also got logged out and roadblocked at about the same time as you and have had the same problem for about a week – currently do not know the true cause or correct cure too – seems like there are a number of us with the same problem all stemming from 25 April 2012

  5. Since yesterday I’m also roadblocked. Tried changing my password about 20 times. I tried to reset my account as if i’m hacked etc etc, but the roadblock keeps coming back!

  6. Even Me too suffering from this problem friends please give me proper information to outcome from this FB Roadblock problem. i am very frustrated now.k

  7. I have this problem since may 1st! Did anyone find a way to get back in his account?

  8. I don’t know what it is, I have no virus’s and there is absolutely nothing on facebook about this problem. I have tried everything. Tomorrow I am going into deliver a letter to the CEO of Facebook in Europe. I have no other choice as Facebook have nobody to contact. They must know about this by now.

  9. I also am having this problem as of May 1. Please let me know if any of your issues get resolved.

  10. Just to let you qll now i do suffer fronender Problems too since 1st of may !

    I am from Germany and i emailed a couple of TV-Shows in Germany about it ! And also contacted Germanys Facebook which canbe found in Hamburg.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>