Recent research by Kaspersky has shown that the so-called “grey” websites repeatedly target all world regions, and this may be driving both financial loss and large-scale data harvesting. Grey websites are deceptive online platforms that fall outside traditional phishing definitions but still manipulate users into voluntarily handing over money and personal data. Kaspersky’s new report provides detailed insights into the threats posed by the grey websites on global and regional levels.
Unlike classic phishing attacks, which aim to steal credentials outright, grey websites rely on persuasion, misleading interfaces, and hidden terms to exploit users. They often impersonate legitimate services such as e-commerce platforms, financial tools, AI services, or subscription-based content, making them significantly harder to detect.
Kaspersky analysis shows that the majority of suspicious resources globally fall into several recurring categories:
- Fake browser extensions and “security tools” that actually harvest browsing data and track user activity.
- Fraudulent financial platforms including crypto exchanges, trading tools, and investment schemes promising unrealistic returns.
- Intermediary services (e.g., legal or real estate), charging for low-value or nonexistent services while harvesting sensitive personal data.
- Subscription traps offering low-cost trials that convert into costly recurring payments hidden in fine print.
- Fake online shops that either deliver counterfeit goods or nothing at all.
A notable trend is the emergence of tools disguised as AI services or image-processing platforms, reflecting attackers’ ability to adapt to current digital trends and target younger audiences.
There are proven security solutions that help users to detect grey websites across different types of devices – those running on Windows, Linux, Android and iOS. The detection model is based on many factors, including domain name and age, IP reputation, stability of the infrastructure used, DNS configurations, HTTP security headers, digital identity and popularity of the web resource and other criteria.
Regional specifics
Regional variations in grey websites demonstrate how threat actors localise scams based on user behaviour and trending technologies.
In Europe, the threat landscape is dominated by links to suspicious browser extensions and fake “privacy-enhancing” tools. These resources often present themselves as security solutions, promising safer browsing or anonymous search capabilities. In reality, they function as browser hijackers – intercepting traffic, collecting cookies, tracking user behaviour, and injecting advertisements. The popularity of these threats reflects a high level of user concern around privacy and security, which attackers actively exploit. Additionally, these regions show a steady presence of phishing intermediaries and crypto-related scams, indicating a blend of technical and financially motivated attacks.
Across African markets, financial scams are the most prominent category of suspicious resources. Fraudulent trading platforms, fake brokers, and investment schemes frequently mimic legitimate financial services, often accompanied by fabricated licenses or endorsements. These platforms typically prevent users from withdrawing funds, instead introducing additional “fees” or taxes to prolong the scam. The concentration of these threats highlights how attackers leverage growing interest in online investing while exploiting gaps in regulatory enforcement and financial literacy.
In the Middle East and North Africa region, suspicious resources frequently mimic communication (Internet telephony) tools, financial platforms, or betting services. Additionally, Ponzi-style investment schemes and crypto scams are widespread, often presented through polished interfaces that mimic legitimate platforms. Web browser-based threats also play a significant role, with malicious extensions targeting user data and browsing activity. The regional threat profile reflects a convergence of financial fraud and technical compromise, where users risk both data exposure and monetary loss.
“Suspicious websites don’t look harmful at first glance. But they exploit trust, urgency, and familiarity, and a single click on what looks like a harmless AI image tool, a “secure” browser extension, or a heavily discounted online shop could be all it takes to lose money or expose sensitive data. Instead of direct credential theft, attackers turn to behavioural manipulation – whether that’s subscribing, investing, or installing software,” comments Anna Larkina, Web Content and Privacy Analysis Expert at Kaspersky.
Read the full report on Securelist.
Kaspersky recommends a combination of awareness and technical checks to reduce risk:
- Scrutinise offers that seem too good to be true – especially steep discounts or guaranteed profits.
- Check domain age and reputation – newly registered domains are a major red flag.
- Avoid installing unknown browser extensions, particularly those claiming to enhance privacy or security.
- Use secure payment methods with buyer protection; avoid crypto or wire transfers for unfamiliar services.
- Review subscription terms carefully, especially for trial offers.
- Look for transparency signals – legitimate services provide verifiable contact details, consistent branding, and active social presence.
- Use reliable security solutions capable of detecting grey website scams.
