Facebook remains the most impersonated brand in phishing attacks. This paper dissects a prevalent technique: phishing kits hosted on compromised servers that use a file named post.php to capture login credentials. We analyze the code structure, exfiltration methods, evasion tactics, and propose detection rules (SIGMA/YARA) and server-side countermeasures. Empirical analysis of 150 live phishing kits reveals that 83% use predictable POST handlers like post.php with minimal obfuscation. We conclude with a deployable response framework.
<?php // Simple form handler example
Sending data to external databases or Telegram bots using cURL requests. facebook phishing postphp code