When the victim submits their credentials, the browser sends a POST request to post.php . A simplified example of what that script looks like:
This is the most common method in "cut-and-paste" kits found on GitHub or hacking forums. facebook phishing post.php code