https://www.facebook.com/nawab.khan.640610
31.13.66.35 · Facebook, Inc
Ashburn, United States
10671 days
200 · 21.7s
Valid· DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc, US
COMPLETED
Domain Intelligence: facebook.com
Scanned 9 times since Feb 17, 2026, 09:40 AM UTC
Registered-domain escalation
Submit facebook.com as the primary IOC, enriched with evidence from hostile subdomains like www.facebook.com.
No KB/IOK detections were recorded for this scan.
Technology · 7/19/2026
The page presents Facebook branding and a legitimate-looking login UI within a popup modal over a Facebook profile page. However, the URL shown in the capture is a Facebook user profile (www.facebook.com/nawab.khan.640610) rather than an official Facebook login surface for authentication. The field structure mirrors a login form (email/phone and password) with credential capture indicators in the HTML and network activity showing loginAttempt endpoints and numerous Facebook AJAX calls. While the surface appears to be on the official domain, the evidence suggests a phishing-like login funnel could be present if the UI is rendered to harvest credentials from unsuspecting users; the presence of a login form within a modal on a Facebook page is characteristic of impersonation attempts, though the page could also be a legitimate Facebook content page with embedded login UI in a modal. Given the strong impersonation signals in the UI and the potential for credential harvesting flagged by the credential exfiltration endpoints, the scenario warrants cautious classification as credential phishing in the observed context.
Capture
Stages: 2
Canonical: Settled Render
Changed: No
Credential Signals
Forms: 2
Password fields: 2
Late-stage login UI: No
Resource Signals
Resources: 103
Hosts: 6
Domains: 2
Suspicious Endpoints
hxxps://www[.]facebook[.]com/login/device-based/regular/login/?login_attempt=1
The scan captured a Facebook page highlighting a login modal with credential fields on the official domain, accompanied by sensitive AJAX calls and resource loads that resemble credential-collection behavior. The combination of impersonation signals (Facebook branding on a non-standard user profile path and a prominent login UI) and exfiltration-like endpoints (login_attempt) constitutes actionable indicators of credential phishing potential. The page also shows a mix of legitimate Facebook assets (to blend in) which elevates the risk of victims mistaking it for a legitimate login surface. Given these signals, the risk to end users is high and warrants takedown action or at minimum block and further investigation.
Block URL