Cybersecurity firm Kaspersky has issued new warnings about evolving online risks that could leave millions vulnerable to financial losses and data theft. In separate reports released this week, the digital security company detailed how subtle “gray” scam websites are tricking users worldwide and revealed troubling patterns in leaked passwords that make them easy to crack. “Gray” websites operate in a murky zone between legitimate platforms and outright phishing.
Unlike classic credential-stealing attacks, these sites use clever design tricks, urgency tactics, and buried fine print to persuade visitors to surrender money or personal information voluntarily.
Kaspersky’s analysis identified common categories, including bogus browser extensions that secretly track activity, fake investment and crypto platforms promising unrealistic gains, intermediary services for legal or real estate matters that deliver little value, subscription traps with hidden recurring fees, and counterfeit online stores that ship junk or nothing at all.
Newer scams often mimic trendy AI image tools or processing apps, appealing especially to younger users.
The threat varies by region. In Europe, privacy-focused browser add-ons and fake security tools dominate, often hijacking traffic and injecting ads. African users face more financial frauds disguised as trading brokers, while Latin America sees heavy betting-site clones and pyramid schemes.
Asia-Pacific reports a mix of crypto fraud, NFT scams, and risky microloan platforms. In the MENA region and CIS countries, attackers blend polished investment lures with data-harvesting extensions.
Experts note that these sites exploit trust in familiar services rather than relying on malware.
“Suspicious websites may not seem dangerous at first, but they prey on familiarity and quick decisions,” said Kaspersky’s Web Content and Privacy Analysis Expert Anna Larkina.
A single click on what appears to be a helpful AI tool or discounted shop can lead to lost funds or exposed data.
In a separate study timed for World Password Day, Kaspersky examined 231 million unique passwords from major leaks between 2023 and 2026.
The research findings are quite concerning: 68 percent can be cracked within a day using modern tools. More than half (53 percent) end with a number, while 17 percent begin with one.
Roughly 12 percent contain date-like sequences, and predictable keyboard patterns such as “1234” or “qwerty” remain common.
Symbols are equally routine—@ appears most often, followed by periods and exclamation marks. Trending terms like “Skibidi” have surged 36-fold, and positive words such as “love,” “magic,” and “angel” appear far more frequently than negative ones.
Even longer passwords offer limited protection when patterns persist.
Kaspersky’s Data Science Team Lead Alexey Antonov explained that attackers exploit these habits to speed up brute-force and AI-assisted attacks.
“Predictable choices dramatically shorten the time needed to guess a password,” he noted.
Kaspersky urges users to create truly random passphrases of at least 16 characters, mixing unrelated words with internal numbers, symbols, and deliberate misspellings.
The update from Kaspersky suggested avoiding placing digits or common symbols at the beginning or end. Enable two-factor authentication everywhere, and consider reputable password managers for secure generation and storage. For gray-site protection, verify domain age and reputation, skip unknown extensions, review terms carefully, and use proven security software capable of flagging deceptive platforms.