New ClickFix Campaign Exploits Fake Verification Pages to Hijack Facebook Sessions

The ClickFix campaign illustrates a shift from traditional credential‑phishing to pure social engineering, exploiting users’ trust in Meta’s verification processes. By masquerading as badge‑granting or policy‑appeal portals, attackers bypass technical vulnerabilities entirely, instead coaxing victims to reveal active session cookies through developer‑tool instructions. This method yields high‑value, replayable tokens that grant immediate access without the need for password resets, making it especially lucrative for threat actors targeting high‑profile creators and monetized Facebook pages.

Technically, the operation leverages a resilient, multi‑layered infrastructure. Phishing fronts are scattered across abuse‑friendly hosting services—Netlify, Vercel, Wasmer, GitHub Pages, Surge, Cloudflare Pages, and Neocities—allowing rapid redeployment when takedowns occur. Collected tokens are decoupled from the visible pages via serverless form backends such as Formspark and submit‑form.com, obscuring the true exfiltration endpoints. Advanced variants incorporate IP profiling and geolocation checks, delivering tailored instructional videos and even direct email exfiltration for non‑proxy users, demonstrating a sophisticated, adaptive threat model.

For defenders, the campaign underscores the need to monitor beyond conventional login‑page phishing. Alerts should trigger on any page requesting c_user or xs values, especially when framed as verification, appeal, or badge confirmation. Threat‑intel teams must track abuse‑friendly host patterns and reusable page titles to pre‑empt infrastructure expansion. Blocking serverless form endpoints and employing real‑time token validation can dramatically reduce successful hijacks, protecting both individual creators and enterprise brand assets from rapid account takeover and subsequent misuse.