0/100

high Risk

www.facebook.com

https://www.facebook.com/share/p/1DyWxnu3fz/

57.145.2.1 · Meta Platforms Ireland Limited

Location

Ashburn, United States

Domain Age

10651 days

HTTP

200 · 40.5s

SSL

Valid· DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc, US

Status

COMPLETED

Redirect Chain (2 hops)

302https://www.facebook.com/share/p/1DyWxnu3fz/

302https://www.facebook.com/story.php?story_fbid=122214408812768472&id=61573054160343&rdid=I0COl6XBSZwv2c65&share_url=https%3A%2F%2Fwww.facebook.com%2Fshare%2Fp%2F1DyWxnu3fz%2F

Visual Evidence

Zoom

Title: "Facebook"

Save

Domain Intelligence: facebook.com

Scanned 7 times since Feb 17, 2026, 09:40 AM UTC

⚠ High (70)

Registered-domain escalation

Submit facebook.com as the primary IOC, enriched with evidence from hostile subdomains like www.facebook.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Facebook

Credential Phishing

Technology · 6/3/2026

Summary

The page presents Facebook branding and login UI on a domain that ultimately resolves to www.facebook.com, with a login form and password field observed in static HTML. However, the final URL path and the initial share URL indicate a redirect chain that could be used to lure users to a login surface. Visual evidence from the screenshot shows Facebook’s branding and a login form, which supports credential collection risk, but the domain remains aligned with official Facebook endpoints; still, the observed redirect to a login surface and the presence of a login form in the page content warrant careful assessment for potential impersonation in a phishing context.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Canonical stage contains password collection UI.

▸POST targets observed during capture: https://www.facebook.com/ajax/qm/?__a=1&__user=0&__comet_req=15&jazoest=22287, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__hs=20600.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7644491143847735517&__req=1&__rev=1040214237&__s=ee474o%3A8il85s%3Aqdkr9y&__spin_b=trunk&__spin_r=1040214237&__spin_t=1779871793&__user=0&dpr=1&jazoest=22287&lsd=AdQYSF1hfn5MxVwv4XMxQWIVCAA&ph=C3&qpl_active_flow_ids=516759801, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__hs=20600.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7644491143847735517&__req=2&__rev=1040214237&__s=ee474o%3A8il85s%3Aqdkr9y&__spin_b=trunk&__spin_r=1040214237&__spin_t=1779871793&__user=0&dpr=1&jazoest=22287&lsd=AdQYSF1hfn5MxVwv4XMxQWIVCAA&ph=C3&qpl_active_flow_ids=516759801.

▸Distinctive asset clues: qm, v_kkAv_-wGQgXdYivvCwsHLMusfBKLXXDK_Rd6f7AdnmbuwCwKe2UxSfoaUWLY9OQlC4NciRbArrlfAozIMNFBkkw1JtOGoHMq0Th14Xk8e9Sku4yAsukPWHDJukWSxxPo7asVjQqltBeBhC8lbkhBm8OTh2otzgdunJl3g9q4pR78qLXs1SqMF6Zses-XSTXFxUbB69VqNNp4Gm1BHl-lElGzTH4Lah-t55E7mOl6Gkjq0OVeavkZc4HIHnCJZCcc2ZP1Mq8wypiAW_bfkF94AKekI-DNhJP3byOureFAdmh5DEndjkC1LYw5WWi7IP1HIUYBqZ4h.js, Vm1EYlw71pU3zxorMJq7_YTRYaQKhh9KST9DWDYPz6DhfgQe914iiBfONMKn3YhINqU49pVNahkCkvOJ4AbSr5wE.css, PSDRf5TMSytg8T_6-Yirbb.css, MtSuoJKZPsV.webp, 83zWJdc6PJI.webp.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 1

Password fields: 1

Late-stage login UI: No

Resource Signals

Resources: 54

Hosts: 3

Domains: 3

Suspicious Endpoints

hxxps://www[.]facebook[.]com/login/?next=https%3A%2F%2Fwww.facebook.com%2Fstory.php%3Fstory_fbid%3D122214408812768472%26id%3D61573054160343%26rdid%3DI0COl6XBSZwv2c65%26share_url%3Dhttps%253A%252F%252Fwww.facebook.com%252Fshare%252Fp%252F1DyWxnu3fz%252F&rdid=I0COl6XBSZwv2c65

Attack Techniques (3)

Brand impersonation signals detected via page title and visual branding matching FacebookCredential harvesting signals: login form and password field presentSPA-like behavior with dynamic UI loading (numerous external script resources) suggesting runtime rendering of credential surface

Indicators of Compromise (8)

▸Page Title: Facebook

▸Hostname: www.facebook.com

▸Login form present with password input

▸POST targets to Facebook AJAX endpoints used for login/session flows

▸External script requests and large number of JS assets loaded

▸URL path includes login surface and redirects to story/content URLs

▸SSL certificate issued to *.facebook.com (DigiCert Global G2 TLS RSA SHA256 2020 CA1) – valid during 2026

▸URL redirect chain: share/p, story.php, login with next parameter

Risk AssessmentUsed in abuse reports

The scan reveals a legitimate Facebook login surface with a password field and credential submission endpoints, and the page appears to be the official Facebook login experience. However, the presence of a share/story redirect chain that lands on a login surface, combined with a high number of external scripts and POST to internal Facebook AJAX endpoints, creates a potential phishing-facing surface, especially if users arrive through a deceptive URL. Given the strong brand signals but the complex redirect, this warrants monitoring for potential impersonation abuse, and the hosting/registration context should be reviewed to confirm whether this is the authentic Facebook login flow or a spoofed page designed to harvest credentials. Recommendation: monitor; no definitive takedown without additional corroborating abuse signals.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence