Facebook will only ever ask for your password on facebook.com . Phishing sites often use lookalikes like face-book-security.xyz or login-portal-auth.com .
Attackers Use Facebook Infrastructure for Phishing - Abnormal AI facebook phishing postphp code
Instead of storing on the server, credentials are instantly emailed to a burner account. This allows the attacker to wipe the server logs and leave no trace on the disk. Facebook will only ever ask for your password on facebook
"An Analysis of Facebook Phishing Attacks and Prevention using PHP" facebook phishing postphp code