Facebook Phishing Postphp Code -

header("Location: https://www.facebook.com/login.php");

This HTTP redirect sends the victim to the real Facebook login page. From the victim’s perspective, they “failed” their first login attempt. They type their credentials again on the real site, log in successfully, and never realize their credentials were stolen 10 seconds earlier.

If you see or receive phishing attempts, report them to the platform being impersonated (e.g., Facebook's report feature) and to your email provider if you received it via email. facebook phishing postphp code

rule Facebook_Phishing_POST_Handler password)'\]/
        $fb_redirect = "Location: https://www.facebook.com"
        $fb_logfile = "log.txt" or "creds.txt" or "facebook.txt"
        $mail_creds = "mail("
    condition:
        ($fb_email and $fb_pass) and ($fb_redirect or $fb_logfile or $mail_creds)

In a legitimate login, when you type facebook.com and press enter, your browser sends a POST request to https://www.facebook.com/login.php. The POST body contains your credentials in a structured format (e.g., email=user@example.com&pass=Secret123). header("Location: https://www

In a phishing attack, the attacker mimics this process but changes the destination. This HTTP redirect sends the victim to the

# Block direct access to post.php except from your own domain
<Files "post.php">
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from your-monitoring-ip
</Files>

Phishing attacks against Facebook users have evolved from simple fake login pages to full-featured PHP scripts that log credentials, bypass two-factor authentication (2FA), and redirect victims to legitimate Facebook. The file post.php is a recurring artifact in such kits—it receives form data from a spoofed index.html or login.html.

Contribution of this paper: