mass.report
Scan Intelligence Report0/100
critical Risk
www.facebook.com
https://www.facebook.com/profile.php?id=61582825777350
IP
57.145.2.1 · Meta Platforms Ireland Limited
Location
Ashburn, United States
Domain Age
10608 days
HTTP
200 · 20.1s
SSL
Valid· DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc, US
Status
COMPLETED
Domain Intelligence: facebook.com
Scanned 5 times since Feb 17, 2026, 09:40 AM UTC
✗ Critical (83)
Registered-domain escalation
Submit facebook.com as the primary IOC, enriched with evidence from hostile subdomains like www.facebook.com.
KB/IOK Matches (0)—
No KB/IOK detections were recorded for this scan.
Technology · 4/29/2026
Summary
The page presents Facebook branding and content but is loaded from a profile path on the official facebook.com domain, with a suspicious modal overlay that resembles a login/credential capture UI. Evidence includes a visible login form in the static HTML, password field, and multiple authentication-related POST endpoints observed to the Facebook AJAX API, which, combined with the screenshot showing a login modal over a profile page, strongly suggests credential collection attempts disguised as a profile view. However, the domain and canonical page URL align with Facebook’s real service, so the page is more correctly categorized as first-party with potential abuse signals rather than a blatant impersonation of an external brand.
Evidence Summary
▸Observed 2 capture stage(s); canonical stage is settled_render.
▸Canonical stage contains password collection UI.
▸POST targets observed during capture: https://www.facebook.com/ajax/qm/?__a=1&__user=0&__comet_req=15&jazoest=22399, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__crn=comet.fbweb.CometProfilePlusLoggedOutRoute&__hs=20557.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7628601307031240790&__req=1&__rev=1037291633&__s=6vzana%3Aa9jp3u%3A163hun&__spin_b=trunk&__spin_r=1037291633&__spin_t=1776172152&__user=0&dpr=1&jazoest=22399&lsd=AdS2EA3jmmDOtwv6lWiFHXsd9uw&ph=C3, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__crn=comet.fbweb.CometProfilePlusLoggedOutRoute&__hs=20557.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7628601307031240790&__req=2&__rev=1037291633&__s=6vzana%3Aa9jp3u%3A163hun&__spin_b=trunk&__spin_r=1037291633&__spin_t=1776172152&__user=0&dpr=1&jazoest=22399&lsd=AdS2EA3jmmDOtwv6lWiFHXsd9uw&ph=C3.
▸Distinctive asset clues: L1AMrcCnsb9.js, KD2qoIa3cH_.js, eszZrMr48hyvL2RA0yebQsTRYaQKhh9KSfgQe914iiBfONMKn3YhINqU49pVNahkCkvOJ4AbSr5wEvx2I9b7Pb8K.css, VLNVMYsRNQ9.webp, 670415567_122142460989094192_4962115321645713095_n.jpg.
Capture
Stages: 2
Canonical: Settled Render
Changed: No
Credential Signals
Forms: 2
Password fields: 2
Late-stage login UI: No
Resource Signals
Resources: 116
Hosts: 7
Domains: 2
Suspicious Endpoints
hxxps://www[.]facebook[.]com/login/device-based/regular/login/?login_attempt=1
Attack Techniques (1)
Branding present on official domain (facebook.com) with impersonation-like login modal overlay
Indicators of Compromise (0)
No specific IOCs identified in source
Risk AssessmentUsed in abuse reports
The scan shows legitimate Facebook branding and page structure with a prominent login modal overlay containing a password field and credential-collection form. While these signals could indicate a credential-phishing attempt, the domain is the official Facebook domain, which reduces impersonation risk. Nonetheless, the presence of a login form and multiple credential-related network calls on a user profile page could be used abusively to harvest credentials if presented in an deceptive context. Recommend monitoring for unusual or deceptive UI overlays that imitate Facebook login outside of canonical login flows, and flag for review if the page is being served in an unusual context or via a redirect path commonly used by phishing campaigns.
Recommended Action
Monitor
Cross-Reference8
URL Intelligence
Domain Intelligence
IP Intelligence
Public threat feed available — JSON API