ClickFix Campaign Exploits Fake Facebook Verification to Hijack Accounts
A sophisticated cyberattack known as the ClickFix campaign has emerged, targeting Facebook users by exploiting their desire for verification badges. This scheme employs social engineering tactics to deceive individuals into surrendering their session tokens, granting attackers full access to their accounts.
The Deceptive Strategy
The ClickFix campaign operates by sending messages to users, particularly content creators and business page administrators, offering free verification badges or alerting them to urgent account reviews. These messages contain links that direct recipients to counterfeit Facebook help centers or verification portals, meticulously designed to mirror the authentic Facebook interface.
Upon arrival at these fraudulent sites, users are informed that they have been selected for verification or that their accounts have been flagged for policy violations, creating a sense of urgency. The attackers then guide victims through a series of steps that appear legitimate but are intended to extract their authentication tokens.
The Token Extraction Process
Victims are presented with instructional videos that demonstrate how to access their browser’s developer tools to retrieve specific session tokens, namely the ‘c_user’ and ‘xs’ values. They are misled into believing that this process is a standard verification step necessary to confirm their identity.
By obtaining these tokens, attackers can gain complete control over the victim’s Facebook account. This access allows them to change passwords, steal payment information, and impersonate the account holder, leading to potential financial loss and reputational damage.
Campaign Scope and Infrastructure
Since its inception in January 2025, the ClickFix campaign has expanded significantly, with at least 115 distinct phishing pages and eight data collection endpoints identified. The attackers employ a decentralized infrastructure, hosting phishing pages on platforms such as Netlify, Vercel, Wasmer, GitHub Pages, and Surge. This strategy enables them to quickly replace any pages that are taken down, maintaining the campaign’s persistence.
The stolen session tokens are transmitted to separate data collection endpoints, utilizing services like Formspark and submit-form.com. This separation from the phishing pages themselves adds an additional layer of obfuscation, complicating detection efforts.
Attack Flow Analysis
The attack begins with a seamless redirect chain. Users may click on a link from social media promising a free blue badge or claiming their page has been flagged. The initial page displays an animated verification screen with sound effects and timed animations to build credibility.
Once the animation completes, the victim is automatically redirected to a second page that fully impersonates Facebook’s branding, including logos, colors, and official-looking language.
At this stage, prominent red warnings and urgent messaging push the user to continue. The page displays something like “Action Required” buttons and countdown timers to trigger immediate responses.
The victim is presented with an embedded instructional video that explicitly walks through the manual extraction process. The video shows how to open browser developer tools, navigate to the Storage or Application tab, and copy the exact session cookie values.
This is the critical step where victims voluntarily hand over their authentication tokens.
Once the user enters their ‘c_user’ and ‘xs’ values into a form field, the JavaScript code validates the tokens in real time to ensure they match legitimate Facebook session patterns. This filtering reduces noise on the attacker’s backend and ensures only valid, reusable sessions are captured.
The script includes instructions telling victims not to log out for 24 hours, which keeps the harvested cookies valid long enough for immediate account takeover.
If the initial token theft succeeds, the attacker gains instant access to the account and can begin making changes. However, if the stolen session fails to work later, the attack has fallback options. The fake verification page introduces additional harvesting stages where victims are asked to provide backup or recovery codes.
After these codes are collected, a pop-up appears claiming that additional password verification is needed. This final request tricks users into surrendering their actual Facebook password, completing a full credential harvesting chain that gives attackers multiple ways to regain access even if the session token becomes invalid.
Protective Measures
To safeguard against such sophisticated phishing campaigns, users are advised to:
– Verify Communications: Be cautious of unsolicited messages offering verification badges or alerting to account issues. Always verify the authenticity of such communications through official channels.
– Avoid Sharing Sensitive Information: Never share session tokens, passwords, or other sensitive information through unverified platforms.
– Enable Two-Factor Authentication (2FA): Implementing 2FA adds an extra layer of security, making it more challenging for attackers to gain unauthorized access.
– Stay Informed: Regularly update yourself on emerging phishing tactics and educate others within your network to recognize and avoid such threats.
By remaining vigilant and adopting robust security practices, users can significantly reduce the risk of falling victim to campaigns like ClickFix.
