A cousin of mine got a new laptop from his place of work. The laptop is a nice 14.4" HP with Windows XP on it.
He found that when he visited Facebook, the site looked a bit odd, and when he logged in, the URL was redirecting to various other URLs.
After some digging, it was apparent that typing "www.facebook.com" or just "facebook.com" were redirecting to one of the fake sites above. He downloaded and ran several malware/spyware removal programs but none of them fixed the problem.
Further digging using the ping command showed that instead of the real Facebook site, the fake site was on an IP address of a residential ADSL in Tirana, Albania! The address is 220.127.116.11.
The way this site manages to fool people into thinking it is Facebook, is that somehow it got the hosts file in Windows changed, so the malicious IP address serves a fake copy of the login page for Facebook.
This technique used by criminals is called pharming.
In order to check if you are affected by this, make sure that your Windows XP, file at C:\Windows\System32\Drivers\etc\hosts file, has the following, and no entries for Facebook (or Paypal, eBay, or other popular sites requiring passwords):
On a computer affected by the attack, you will have entries that look like this:
18.104.22.168 localhost 22.214.171.124 facebook.com 126.96.36.199 www.facebook.com
The solution is to restore the "localhost" entry to 127.0.0.1 and remove all other entries in the file for any web sites.
The irony is that despite malware removal programs such as Spybot inserting many fake sites into the hosts file as 127.0.0.1 to protect from such hijacks, yet it left the fake IP address for Facebook in the file, and even the fake entry for localhost.
It could be that my cousin's place of work are using a master image of Window that was previously infected via another mean, whether it is an unpatched Windows installation put on the internet, visiting a site distributing malware via ads, or the many other means that malware is spread by ...