0/100

critical Risk

www.facebook.com

https://www.facebook.com/people/Dato-Talahah/100068912653879/

57.145.2.1 · Meta Platforms Ireland Limited

Location

Ashburn, United States

Domain Age

10611 days

HTTP

200 · 23.1s

SSL

Valid· DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Dato Talahah | Facebook"

Save

Domain Intelligence: facebook.com

Scanned 5 times since Feb 17, 2026, 09:40 AM UTC

✗ Critical (83)

Registered-domain escalation

Submit facebook.com as the primary IOC, enriched with evidence from hostile subdomains like www.facebook.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Facebook

Credential Phishing

Social Media · 4/29/2026

Summary

The page presents Facebook branding on a non-official URL path (a Facebook user profile URL under www.facebook.com/people) with impersonation signals. The page title references 'Dato Talahah | Facebook' while the domain is facebook.com, but the domain intelligence notes impersonation of 'ATO' in the title and a misleading profile page. The HTML shows a login form with password fields and multiple login-related POST requests, suggesting credential collection UI likely rendered via dynamic content. However, the hostname is official Facebook and resources load from Facebook domains, indicating a blend of first-party assets with potential impersonation signals in the observed title. The screenshot indicates a legitimate Facebook login UI overlaid, which strongly suggests credential harvesting behavior if presented under a deceptive context.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸Canonical stage contains password collection UI.

▸POST targets observed during capture: https://www.facebook.com/ajax/qm/?__a=1&__user=0&__comet_req=15&jazoest=22148, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__crn=comet.fbweb.CometProfilePlusLoggedOutRoute&__hs=20560.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7629743647863196969&__req=2&__rev=1037565860&__s=umw5dz%3Apcn0zx%3Asz8n8d&__spin_b=trunk&__spin_r=1037565860&__spin_t=1776438124&__user=0&dpr=1&jazoest=22148&lsd=AdTdGatDnbs5-fMIKAN77PEIWDE&ph=C3, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__crn=comet.fbweb.CometProfilePlusLoggedOutRoute&__hs=20560.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7629743647863196969&__req=3&__rev=1037565860&__s=umw5dz%3Apcn0zx%3Asz8n8d&__spin_b=trunk&__spin_r=1037565860&__spin_t=1776438124&__user=0&dpr=1&jazoest=22148&lsd=AdTdGatDnbs5-fMIKAN77PEIWDE&ph=C3.

▸Distinctive asset clues: sw_S6md_MAb.js, Tv5hyZfGZVT.js, QC7R8HHTVEaAylHlhc2RvNTRYaQKhh9KSfgQe914iiBfONMKn3YhINqU49pVNahkCkvOJ4AbSr5wEvx2I9b7Pb8K.css, VLNVMYsRNQ9.webp, 9O-3VNzla5Q.webp.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 2

Password fields: 2

Late-stage login UI: No

Resource Signals

Resources: 102

Hosts: 6

Domains: 2

Suspicious Endpoints

hxxps://www[.]facebook[.]com/login/device-based/regular/login/?login_attempt=1

Attack Techniques (4)

Credential harvesting UI presented on a page that imitates a social media login flowImpersonation signals in page title / branding vs. official domainSPA-like dynamic content with login form and password fieldExfiltration endpoints observed in network (Facebook AJAX endpoints) but used in a questionable context

Indicators of Compromise (5)

▸Page title impersonates a brand component (ATO) while URL is Facebook

▸Login form with password field present in static HTML

▸Two POST login_attempt requests to Facebook login endpoints

▸Large number of external scripts and heavy resource loading from Facebook CDN domains

▸Credential signals detected: hasLoginForm, hasPasswordField, formCount: 2, passwordInputCount: 2

Risk AssessmentUsed in abuse reports

The scan indicates potential credential phishing targeting Facebook users: the page shows a login form and password field, and network activity includes login-related POST requests to Facebook endpoints. The domain is legitimate Facebook, but the page title signals impersonation of another entity (ATO) within a Facebook context, and the curated evidence notes impersonation signals. This combination suggests a phishing page designed to harvest credentials, leveraging Facebook branding with an impersonation cue in the title. Given the presence of a visible login form and associated exfiltration endpoints, this is actionable abuse evidence, though hosted under a legitimate domain path, which requires careful handling to distinguish first-party Facebook content from impersonation overlays.

Recommended Action

Block URL

Cross-Reference8

URL Intelligence