example-phishing-001This URL is a credential-harvesting phishing page impersonating PayPal. The domain is on a low-trust TLD (.tk), uses a typosquatted brand name (paypa1 instead of paypal), serves over HTTP without encryption, and 4 of 7 consulted threat-intel sources independently flag the host as malicious.
If you enter a password on this page, attackers harvest the credentials and use them to log into your real PayPal account within minutes — often before you notice.
We checked this URL against six independent signals. The strongest evidence was a typosquatted brand name combined with a .tk hosting TLD — both patterns that legitimate businesses simply do not use. Four antivirus engines on VirusTotal independently flagged the URL, and the hosting IP has been seen by other ThreatAI users serving phishing pages this month. No source disagreed with the malicious verdict; one source (WHOIS) couldn't contribute because .tk hides registration data, which we accounted for by not weighting it. The verdict is 'malicious' with very high confidence (92%). If you got this link in an email, report it and don't click. If you already entered a password, rotate it and turn on two-factor authentication.
Hostname contains 'paypa1' (digit 1 substituted for letter l) — a classic visual-spoof pattern for PayPal.
The .tk TLD is free to register and heavily abused for short-lived phishing infrastructure.
Page is served plain HTTP. Legitimate financial logins use TLS in 100% of cases.
VirusTotal reports 4/89 engines (4.5%) classified this URL as malicious or phishing. Low-volume detections in this category are still meaningful for fresh phishing kits.
Resolved IP 185.234.219.42 has an AbuseIPDB confidence score of 32% from 7 reports in the last 90 days.
.tk WHOIS does not expose registration dates publicly — common evasion. Domain freshness could not be confirmed.
Each source carried a weight in the final confidence score. Sources marked "no data" or "n/a" contributed nothing — they couldn't skew the verdict either way.
The full step-by-step trace. Inputs are summarized and redacted where sensitive; full payloads stay in your account and can be deleted per row.
URL: http://paypa1-secure-login.tk/verify4 findings: HTTP-not-HTTPS (high), .tk TLD (high), brand impersonation 'paypa1' (critical), credential-page path (info).VirusTotal URL lookup (base64-encoded URL ID)4/89 engines flagged as malicious or phishing. Categories returned: 'phishing', 'malicious'. Reputation score: -42.DNS → 185.234.219.42; AbuseIPDB check, 90-day window.Abuse confidence 32%, 7 reports, ISP listed as 'Stark Industries Solutions Ltd', usage type 'Data Center'. Not whitelisted.SHA-256(hostname) prefix lookup; SHA-256(ip) lookup.URL hash: not seen in last 30 days (k-anon floor not yet reached). IP hash: 3 community observations in last 14 days, all flagged 'phishing-host'.Findings from steps 1–4 + memory recall of similar past verdicts.Verdict: malicious, confidence 0.92. Sources in agreement (structural + VT + graph). Hosting IP soft-corroborates. Recommendation list assembled.One row per third-party touched. We name every destination and what we sent.
ThreatAI never executes these actions for you. You stay in control of what happens to your accounts.
We show what your investigation cost in tokens and dollars — same number we charge against your quota.