My dad had a friend send him a video through Facebook Messenger recently. He clicked on it and it led him to what looked like a Facebook login page. Of course it was not Facebook, and he gave his Facebook creds to the hacker. They used them to send more of the same messages from him to all his friends.
The reason that I’m posting this here is that the fake Facebook page was on https://4q(dot)lc. That appears to be a URL shortener for crankyads(dot)cc. Both have a valid cert owned by sni.cloudflaressl.com. The fake Facebook page has been removed since yesterday.
I am new to information security (I work in compliance) and am wondering if someone has some insight on how the malicious page got on that site? Not necessarily specific to this case, but generally how this happens. Just trying to learn more about what is happening in the real work in infosec.