0/100

high Risk

www.facebook.com

https://www.facebook.com/share/g/18ZcDfbBFs/

31.13.66.35 · Meta Platforms Ireland Limited

Location

Ashburn, United States

Domain Age

10629 days

HTTP

200 · 23.5s

SSL

Valid· DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc, US

Status

COMPLETED

Redirect Chain (2 hops)

302https://www.facebook.com/share/g/18ZcDfbBFs/

302https://www.facebook.com/groups/802594847059797/?ref=share&rdid=QrJHShMVAtHs3wDK&share_url=https%3A%2F%2Fwww.facebook.com%2Fshare%2Fg%2F18ZcDfbBFs%2F

Visual Evidence

Zoom

Title: "Facebook"

Save

Domain Intelligence: facebook.com

Scanned 7 times since Feb 17, 2026, 09:40 AM UTC

⚠ High (70)

Registered-domain escalation

Submit facebook.com as the primary IOC, enriched with evidence from hostile subdomains like www.facebook.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Facebook

Credential Phishing

technology | social_media · 6/3/2026

Summary

The page presents Facebook branding (login UI, logos, and UI copy) on www.facebook.com, but the URL path and redirect chain originate from a share link that can resemble a phishing lure. The final page shows a login form with password field and external scripts, suggesting credential capture risk. Evidence indicates impersonation signals through visual branding and login UI, supported by the screenshot and the presence of a legitimate Facebook login surface on the domain, though the initial URL is a share URL that redirected to a login surface. Overall, the data supports credential phishing signals rather than benign first-party content.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Canonical stage contains password collection UI.

▸POST targets observed during capture: https://www.facebook.com/ajax/qm/?__a=1&__user=0&__comet_req=15&jazoest=22297, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__hs=20578.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7636548572577690472&__req=1&__rev=1038839325&__s=tkk296%3Arro12b%3Axa292z&__spin_b=trunk&__spin_r=1038839325&__spin_t=1778022519&__user=0&dpr=1&jazoest=22297&lsd=AdQ0UyauYCa5dLd7EoQYcF8IRio&ph=C3&qpl_active_flow_ids=516759801, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__hs=20578.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7636548572577690472&__req=2&__rev=1038839325&__s=tkk296%3Arro12b%3Axa292z&__spin_b=trunk&__spin_r=1038839325&__spin_t=1778022519&__user=0&dpr=1&jazoest=22297&lsd=AdQ0UyauYCa5dLd7EoQYcF8IRio&ph=C3&qpl_active_flow_ids=516759801.

▸Distinctive asset clues: qm, mCvv7IrNUfH.js, 5ap-aTRCbGmgFd55t3qUpATRYaQKhh9KST9DWDYPz6DhfgQe914iiBfONMKn3YhINqU49pVNahkCkvOJ4AbSr5wE.css, OWh9Qs8kfEVg8T_6-Yirbb.css, aGXvDdYU8wG.webp, U45qBJmWVHU.webp.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 1

Password fields: 1

Late-stage login UI: No

Resource Signals

Resources: 54

Hosts: 3

Domains: 3

Suspicious Endpoints

hxxps://www[.]facebook[.]com/login/?next=https%3A%2F%2Fwww.facebook.com%2Fgroups%2F802594847059797%2F%3Fref%3Dshare%26rdid%3DQrJHShMVAtHs3wDK%26share_url%3Dhttps%253A%252F%252Fwww.facebook.com%252Fshare%252Fg%252F18ZcDfbBFs%252F&rdid=QrJHShMVAtHs3wDK

Attack Techniques (4)

Brand impersonation with legitimate login UISPA-like dynamic credential capture surface (login form rendered via scripts)Redirect chain to login surface from a share URLExfiltration endpoints observed targeting Facebook AJAX login pathways

Indicators of Compromise (9)

▸Page title: Facebook

▸Hostname: www.facebook.com

▸Login form with password field present in DOM

▸POST requests to Facebook login AJAX endpoints (qm and bz endpoints)

▸Redirects leading to /login with next parameter targeting a group share URL

▸External script resources loaded from Facebook CDN domains

▸SSL certificate valid for *.facebook.com (Meta)

▸Screenshot shows Facebook login UI and branding on a page not directly at a standard login URL

▸High number of external script requests (69+)

Risk AssessmentUsed in abuse reports

The scan shows a credential collection surface using Facebook branding and a login form on a URL path that originates from a share link. The presence of a password field and login POST endpoints on a page that visually imitates Facebook login strongly indicates a credential phishing setup aimed at harvesting Facebook credentials. Although the domain is Facebook, the redirect chain and share-based referrer strongly suggest abuse aimed at credential theft. Recommend treating as phishing risk and initiating takedown/containment actions if corroborated by abuse teams.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence