0/100

high Risk

www.facebook.com

https://www.facebook.com/share/1CHBg6LDA1/?mibextid=wwXIfr

31.13.66.35 · Meta Platforms Ireland Limited

Location

Ashburn, United States

Domain Age

10576 days

HTTP

200 · 23.0s

SSL

Valid· DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc, US

Status

COMPLETED

Redirect Chain (2 hops)

302https://www.facebook.com/share/1CHBg6LDA1/?mibextid=wwXIfr

302https://www.facebook.com/crocs.dominique?mibextid=wwXIfr&rdid=tMAEYxtzUMl3ZAfm&share_url=https%3A%2F%2Fwww.facebook.com%2Fshare%2F1CHBg6LDA1%2F%3Fmibextid%3DwwXIfr

Visual Evidence

Zoom

Title: "Facebook"

Save

Domain Intelligence: facebook.com

Scanned 7 times since Feb 17, 2026, 09:40 AM UTC

⚠ High (70)

Registered-domain escalation

Submit facebook.com as the primary IOC, enriched with evidence from hostile subdomains like www.facebook.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Facebook

Credential Phishing

social_media | technology | finance | ecommerce · 6/3/2026

Summary

This page impersonates Facebook. The final URL redirects to a Facebook login path, but the initial URL and domain are used in a deceptive redirect chain targeting credentials. The page title and UI mirror Facebook, yet the domain shown in the URL path and redirects confirms impersonation. The presence of a login form and password field within a heavily loaded page indicates credential collection intended to harvest user credentials.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Canonical stage contains password collection UI.

▸POST targets observed during capture: https://www.facebook.com/ajax/qm/?__a=1&__user=0&__comet_req=15&jazoest=22462, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__hs=20525.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7616755734456603747&__req=1&__rev=1035086371&__s=d3rc5o%3A4e5j2i%3Ao6u39d&__spin_b=trunk&__spin_r=1035086371&__spin_t=1773414140&__user=0&dpr=1&jazoest=22462&lsd=AdTqKGvbQSsccI_iYmKIrLRCNro&ph=C3, https://www.facebook.com/ajax/bz?__a=1&__aaid=0&__ccg=EXCELLENT&__comet_req=15&__hs=20525.HYP%3Acomet_loggedout_pkg.2.1...0&__hsi=7616755734456603747&__req=2&__rev=1035086371&__s=d3rc5o%3A4e5j2i%3Ao6u39d&__spin_b=trunk&__spin_r=1035086371&__spin_t=1773414140&__user=0&dpr=1&jazoest=22462&lsd=AdTqKGvbQSsccI_iYmKIrLRCNro&ph=C3.

▸Distinctive asset clues: qm, XpnBUoxX61b.js, l5KU47FcF4wmpFWFuFMNWV-rOay8NTRz1T9DWDYPz6DhfgQe914iiBfONMKn3YhINqU49pVNahkCkvOJ4AbSr5wE.css, OfvwTrxeCQTg8T_6-Yirbb.css, v5VXmIVO8OP.webp, U45qBJmWVHU.webp.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 1

Password fields: 1

Late-stage login UI: No

Resource Signals

Resources: 46

Hosts: 3

Domains: 3

Suspicious Endpoints

hxxps://www[.]facebook[.]com/login/?next=https%3A%2F%2Fwww.facebook.com%2Fcrocs.dominique%3Fmibextid%3DwwXIfr%26rdid%3DtMAEYxtzUMl3ZAfm%26share_url%3Dhttps%253A%252F%252Fwww.facebook.com%252Fshare%252F1CHBg6LDA1%252F%253Fmibextid%253DwwXIfr&rdid=tMAEYxtzUMl3ZAfm

Attack Techniques (4)

Brand impersonation via legitimate-looking Facebook UI on a domain/URL path that redirects to a Facebook loginCredential harvesting form, with password input and a POST target resembling Facebook login endpointsSPA-like resource loading with numerous external assets and scripts to mimic Facebook brandingRedirect chain to a misleading or off-brand URL while rendering a trusted brand’s login interface

Indicators of Compromise (5)

▸DOMAIN: www.facebook.com (brand-implied) but the redirect flow includes crocs.dominique and unusual share_url parameters indicating potential credential capture flow

▸POST target: https://www.facebook.com/ajax/qm/?__a=1&__user=0&__comet_req=15&jazoest=22462 (Facebook-origin endpoints observed, used for credential exfiltration in some phishing flows)

▸POST targets observed: qm and bz endpoints on facebook.com as part of exfiltration trails

▸SSL certificate issued to *.facebook.com by DigiCert Global G2 TLS RSA SHA256 2020 CA1 (legitimate-looking cert) but on a suspicious landing

▸Page HTML shows a login form with password field and a POST route to login with next parameter indicating a redirect to crocs.dominique

Risk AssessmentUsed in abuse reports

Scanner notes indicate a high likelihood of credential harvesting masquerading as Facebook. The page presents a legitimate Facebook login interface, uses a valid DigiCert certificate for facebook domains, and includes a redirect chain that points to a suspicious subpath (crocs.dominique) while preserving Facebook login UI. The presence of a password input, a login form, and heavy external script loading (119 scripts) strengthens the phishing signal. Although the SSL and domain appear Facebook-owned, the redirect and URL path manipulation imply an attempt to harvest credentials under false pretenses. This warrants immediate action to suspend or block the domain/path and alert hosting providers and registrars to prevent victim exposure.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence