New research by Kaspersky has shown that the so-called “gray” websites repeatedly target all world regions, and this may be driving both financial loss and large-scale data harvesting. Gray websites are deceptive online platforms that fall outside traditional phishing definitions but still manipulate users into voluntarily handing over money and personal data. Kaspersky’s new report provides detailed insights into the threats posed by the gray websites on global and regional levels.
Unlike classic phishing attacks, which aim to steal credentials outright, gray websites rely on persuasion, misleading interfaces, and hidden terms to exploit users. They often impersonate legitimate services such as e-commerce platforms, financial tools, AI services, or subscription-based content, making them significantly harder to detect.
Kaspersky analysis shows that the majority of suspicious resources globally fall into several recurring categories:
- Fake browser extensions and “security tools” that actually harvest browsing data and track user activity
- Fraudulent financial platforms including crypto exchanges, trading tools, and investment schemes promising unrealistic returns
- Intermediary services (e.g., legal or real estate), charging for low-value or nonexistent services while harvesting sensitive personal data
- Subscription traps offering low-cost trials that convert into costly recurring payments hidden in fine print
- Fake online shops that either deliver counterfeit goods or nothing at all
Examples of gray websites
A notable trend is the emergence of tools disguised as AI services or image-processing platforms, reflecting attackers’ ability to adapt to current digital trends and target younger audiences.
There are proven security solutions that help users to detect gray websites across different types of devices – those running on Windows, Linux, Android and iOS. The detection model is based on many factors, including domain name and age, IP reputation, stability of the infrastructure used, DNS configurations, HTTP security headers, digital identity and popularity of the web resource and other criteria.
Regional specifics
Regional variations in gray websites demonstrate how threat actors localize scams based on user behavior and trending technologies.
In Europe, the threat landscape is dominated by links to suspicious browser extensions and fake “privacy-enhancing” tools. These resources often present themselves as security solutions, promising safer browsing or anonymous search capabilities. In reality, they function as browser hijackers – intercepting traffic, collecting cookies, tracking user behavior, and injecting advertisements. The popularity of these threats reflects a high level of user concern around privacy and security, which attackers actively exploit. Additionally, these regions show a steady presence of phishing intermediaries and crypto-related scams, indicating a blend of technical and financially motivated attacks.
Across African markets, financial scams are the most prominent category of suspicious resources. Fraudulent trading platforms, fake brokers, and investment schemes frequently mimic legitimate financial services, often accompanied by fabricated licenses or endorsements. These platforms typically prevent users from withdrawing funds, instead introducing additional “fees” or taxes to prolong the scam. The concentration of these threats highlights how attackers leverage growing interest in online investing while exploiting gaps in regulatory enforcement and financial literacy.
Latin America stands out for its high concentration of betting-related scams and financial pyramid schemes. Fake betting platforms – both clones of legitimate brands and entirely fabricated services – are widely used to lure users with promotions and bonuses. Alongside these, “investment programs” promise rapid returns, often targeting younger and mobile-first audiences. These scams are frequently combined with browser-based threats, including extensions disguised as crypto tools or AI services.
The Asia-Pacific region exhibits a diverse and technically sophisticated threat landscape. There is a presence of crypto-related fraud, NFT scams, a mix of fake antivirus tools, high-risk microloan platforms, and suspicious download services. These threats frequently combine financial exploitation with data harvesting, exposing users to both financial loss and privacy violations.
In the Middle East and North Africa region, suspicious resources frequently mimic communication (internet telephony) tools, financial platforms, or betting services. Additionally, Ponzi-style investment schemes and crypto scams are widespread, often presented through polished interfaces that mimic legitimate platforms. Web browser-based threats also play a significant role, with malicious extensions targeting user data and browsing activity. The regional threat profile reflects a convergence of financial fraud and technical compromise, where users risk both data exposure and monetary loss.
Across the Commonwealth of Independent States (CIS) region, the threat landscape is heavily skewed toward crypto-related scams and fraudulent trading platforms. These promise easy profits, automated investment tools, but ultimately aim to steal funds or sensitive data such as wallet credentials and private keys. The report also highlights the presence of services offering social media automation or follower boosting, which can serve as entry points for broader malicious activity.
“Suspicious websites don’t look harmful at first glance. But they exploit trust, urgency, and familiarity, and a single click on what looks like a harmless AI image tool, a “secure” browser extension, or a heavily discounted online shop could be all it takes to lose money or expose sensitive data. Instead of direct credential theft, attackers turn to behavioral manipulation – whether that’s subscribing, investing, or installing software,” comments Anna Larkina, Web Content and Privacy Analysis Expert at Kaspersky.
Read the full report on Securelist.
Kaspersky recommends a combination of awareness and technical checks to reduce risk:
- Scrutinize offers that seem too good to be true – especially steep discounts or guaranteed profits
- Check domain age and reputation – newly registered domains are a major red flag
- Avoid installing unknown browser extensions, particularly those claiming to enhance privacy or security
- Use secure payment methods with buyer protection; avoid crypto or wire transfers for unfamiliar services
- Review subscription terms carefully, especially for trial offers
- Look for transparency signals – legitimate services provide verifiable contact details, consistent branding, and active social presence
- Use reliable security solutions capable of detecting gray website scams
