urlabuse.com

http://urlabuse.com

104.21.20.168 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

911 days

HTTP

200 · 22.4s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "URLAbuse | Open URL abuse blacklist feed"

Save

Domain Intelligence: urlabuse.com

Scanned 2 times since Feb 27, 2026, 07:22 PM UTC

✗ Critical (90)

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

URLAbuse

Data Harvesting

technology | finance | ecommerce | education | other · 4/5/2026

Summary

This page at urlabuse.com purports to be a URL abuse blacklist feed branded as URLAbuse. The page title and metadata clearly indicate the URLAbuse brand, but the domain is urlabuse.com (a legitimate-sounding domain for the brand) and the SSL certificate is current. However, the page shows heavy SPA behavior with dynamic credential collection patterns suggested by the presence of numerous external scripts and a lack of static login forms. The brand is impersonated only insofar as it relies on a branding page that could facilitate abuse data collection; there is no immediate credential phishing infrastructure detected, but the SPA structure and external tracking/loading raise concerns about data exfiltration and misuse of user interaction data.

Attack Techniques (5)

SPA/JS-driven credential capture potential (0 static forms but multiple JS bundles loaded) individual forms rendered client-sideBrand presence via URLAbuse branding in page title and metadataExternal script loading and analytics beacons (zaraz/beacon) to exfiltrate dataCloudflare/WAF presence indicating attempt to obscure full content from scannersDynamic data endpoint (data.json) and POST to /cdn-cgi/rum indicating potential data collection/telemetry channels

Indicators of Compromise (7)

▸Domain: urlabuse.com (IOC)

▸Page title: 'URLAbuse | Open URL abuse blacklist feed' (brand signal)

▸External scripts: https://urlabuse.com/public/js/main.js, jquery.min.js, bootstrap.min.js, and /cdn-cgi/zaraz/s.js indicating SPA and telemetry

▸Network POST to https://urlabuse.com/cdn-cgi/rum? (204) (potential data collection endpoint)

▸Beacons and analytics loaded from https://static.cloudflareinsights.com/beacon.min.js

▸SSL cert valid Jan 16 2026 - Apr 16 2026 (brand domain, recent issuance)

▸Page HTML shows no static forms; SPA renders forms via JavaScript (risk of credential collection)

Risk AssessmentUsed in abuse reports

The site urlabuse.com impersonates or presents itself as a URL abuse/blacklist service under the URLAbuse brand. The page uses SPA techniques with multiple JavaScript assets and telemetry beacons, and loads Cloudflare protections which can indicate active evasion of scanners. There is no explicit phishing form in the static HTML, but the dynamic rendering and data collection endpoints may be used to harvest user interactions or credentials in a hidden or opaque manner. Given the branding alignment and the potential for data exfiltration through the /cdn-cgi/rum and Zaraz beacon channels, this site warrants cautious handling and blocking or takedown actions to prevent misuse of user data and brand confusion.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence