0/100

critical Risk

www.facebook.com

https://www.facebook.com/profile.php?id=61585918043299

57.145.2.1 · Meta Platforms Ireland Limited

Location

Ashburn, United States

Domain Age

10612 days

HTTP

200 · 19.9s

SSL

Valid· DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Kaeda Wu | Facebook"

Save

Domain Intelligence: facebook.com

Scanned 5 times since Feb 17, 2026, 09:40 AM UTC

✗ Critical (83)

Registered-domain escalation

Submit facebook.com as the primary IOC, enriched with evidence from hostile subdomains like www.facebook.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Facebook

Credential Phishing

Technology · 4/29/2026

Summary

The page presents Facebook branding and a login UI overlaid by a modal that mimics Facebook's login prompt. However, the URL and page context show an actual Facebook profile path under www.facebook.com, suggesting this could be a first-party page. The screenshot reveals a prominent login dialog titled See more on Facebook with email/phone and password fields, which resembles a credential-collecting surface. Given the strong impersonation signals in the UI and the presence of login fields, this could be used for credential harvesting if hosted on a non-official Facebook page; combined with observed network/activity, it warrants careful verification of first/third-party status. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Analyst note: this target may cloak content or block scanners.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸Canonical stage contains password collection UI.

▸POST targets observed during capture: https://www.facebook.com/ajax/qm/?__a=1&__user=0&__comet_req=15&jazoest=22361, https://www.facebook.com/ajax/bulk-route-definitions/, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__crn=comet.fbweb.CometProfileLoggedOutRoute&__hs=20561.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7630103110854860482&__req=2&__rev=1037641644&__s=bfa5bu%3Alqzyvj%3Ac287uf&__spin_b=trunk&__spin_r=1037641644&__spin_t=1776521817&__user=0&dpr=1&jazoest=22361&lsd=AdRbZdO_zLEd0OAA2uW6PyqcYgs&ph=C3.

▸Distinctive asset clues: PYzKfCQ42Hg1W1vLMdGzcF5kRDL-pQCUq.js, TzpToI6mn9R.js, 7PKQgmrjcHX42VmFShccSeTRYaQKhh9KSfgQe914iiBfONMKn3YhINqU49pVNahkCkvOJ4AbSr5wEvx2I9b7Pb8K.css, 622411144_122110815957197268_8885096156578881808_n.jpg, aGXvDdYU8wG.webp.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 2

Password fields: 2

Late-stage login UI: No

Resource Signals

Resources: 64

Hosts: 5

Domains: 2

Suspicious Endpoints

hxxps://www[.]facebook[.]com/login/device-based/regular/login/?login_attempt=1

Attack Techniques (4)

Analyst-flagged cloaking/evasion behaviorBrand impersonation via modal login prompt resembling FacebookPresence of password input field and login form in a page that targets Facebook usersUse of off-page or overlay login UI to capture credentials (see 'See more on Facebook' modal with email and password fields)

Indicators of Compromise (7)

▸Page title Kaeda Wu | Facebook

▸Facebook-branded UI elements in HTML source and Open Graph meta

▸Login form in static HTML with POST to /login/device-based/regular/login/?login_attempt=1

▸Multiple external Facebook AJAX endpoints called post/login (qm, bulk-route-definitions, bz)

▸High number of external script loads from static.xx.fbcdn.net and scontent.fbcdn.net

▸Deliberate modal login UI overlay (See more on Facebook) that could capture credentials

▸SSL certificate issued to *.facebook.com (legitimate), but the context shows potential cloaking signals in analyst notes

Risk AssessmentUsed in abuse reports

The page shows concrete login UI elements and credential fields that resemble a legitimate Facebook login prompt, which is a common tactic for credential harvesting. While the hostname www.facebook.com and the page content correlate with Facebook branding, the analyst notes indicate possible cloaking and impersonation risk. The presence of a prominent 'See more on Facebook' modal with email/phone and password fields, along with POST login endpoints, supports potential credential collection behavior. Given the combination of impersonation signals and the possibility of this being a first-party page, this requires confirmation of brand integrity and monitoring for anomalous redirects or form handling. Recommend monitoring and verify domain/source alignment before taking action. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Analyst note: this target may cloak content or block scanners.).

Recommended Action

Monitor

Cross-Reference8

URL Intelligence