"A suspicious website is a web resource that cannot be definitively classified as phishing, but whose activities are unsafe," Kaspersky writes — and added a new detection class to prove the point.
Kaspersky adds an "undefined trust level" to consumer products
Kaspersky has introduced a new web-filtering category, “Sites with an undefined trust level,” into its products including Kaspersky Premium and its Android and iOS apps. The detection model evaluates domain name and age, IP reputation, infrastructure stability, DNS configuration, HTTP security headers and SSL certificates to flag resources that are manipulative or otherwise unsafe. The vendor says the component is on by default and that Kaspersky has been certified as a provider of effective protective technology for fake shop detection.
The anatomy of a suspicious website: visual, payment and technical clues
The company lists clear, checkable signals readers can use. Visual and manual clues include strange domains filled with numbers or random characters, cheap top-level domains such as .xyz, .top and .shop, poor visuals and copied templates, pressure tactics like countdown timers, and missing or unverifiable contact details. Payment options limited to cryptocurrency, wire transfers or irreversible P2P payments are singled out as particularly risky.
Technical checks recommended by Kaspersky include WHOIS lookups for recent registration (domains under six months are suspect for e-commerce or investment sites), IP-reputation and hosting stability checks, inspection of DNS records (NS, MX, SPF, DMARC), HTTP security headers such as Content-Security-Policy and HSTS, and validation of the SSL certificate via the browser padlock. The guidance even points users to browser tools — for example, Google Chrome’s site information dialog — to view certificate and connection details.
January 2026 regional snapshot: fake extensions dominate, financial scams persist
Using anonymized detections from January 2026, Kaspersky finds that fraudulent browser extensions masquerading as security products are the most widespread threat: detected in 9 of the 10 regions analyzed. An intermediary image‑processing server (reported as *a*o*.com) appeared in 9 regions and accounted for 40.80% of detections in Russia, 21.70% in Latin America and 14.64% in the CIS, but only 0.24% in Canada.
Other multi‑region cases include a fake antivirus extension landing page (*n*s*.com) most common in South Asia (33.31%) and present at roughly 15% in Canada and Oceania; and a privacy‑branded hijacker (*w*a*.com) with the largest share in MENA (22.25%) and sizable presence in Canada (16.26%). Kaspersky reports that the majority of globally detected suspicious sites are browser hijackers that intercept data, inject ads and swap search engines.
Regional patterns vary. In Africa over 90% of the top 10 suspicious sites are online trading scam platforms, with three domains — *i*r*.world (60.27%), *m*a*.com (22.84%) and *e*p*.com (9.36%) — dominating the list. Latin America’s most common threats skew toward betting and Ponzi-style schemes (examples include *b*e*.net at 10.81% and *r*e*.club at 7.82%). East Asia shows a concentration of fake brokers and crypto‑gaming platforms (e.g., *r*x*.com at 18.77%, and a crypto‑gaming site at 16.44%), while the CIS is driven by fake trading platforms and engagement‑inflating bots (for example *r*a*.bar at 39.50% in the CIS and 15.93% in Russia). Russia’s own list includes binary‑options imitations and deceptive e‑learning subscriptions (e.g., *n*m*.top at 7.84%).
Tools and immediate steps for users and defenders
Kaspersky recommends several practical tools and actions that mirror its detection model. Public services such as ScamAdviser and APIVoid can provide WHOIS, server‑location and reputation signals; national government blacklists are additional reference points. If you suspect a scam site, the company advises contacting your bank or payment provider to block transactions, changing compromised passwords and running a full antivirus scan — and reporting the domain to consumer‑protection or cybercrime agencies. For defenders, Kaspersky’s checklist — domain age, IP reputation, DNS, HTTP headers and SSL — provides a concise triage for web resources under review.
What this means for security teams, end users, and regulators
- Security teams and technologists: incorporate automated checks for domain age, IP reputation and missing security headers into web‑filtering and monitoring tools; the “undefined trust level” model underscores the value of combining visual and infrastructure signals.
- End users and consumers: watch for short‑lived domains, odd TLDs (.xyz/.top/.shop), limited payment methods and pressure tactics; keep real‑time security software enabled and use the browser’s certificate and connection dialogs before entering payment data.
- Policymakers and regulators: the regional concentration of trading, betting and Ponzi sites suggests targeted enforcement and consumer education campaigns could address the primary causes of financial loss and data harvesting.
Kaspersky’s category and the default warnings it deploys are a pragmatic response to a landscape where many sites do not overtly steal credentials but still trick users into handing over money or data. Its January 2026 regional breakdown shows the threat is both global and locally specialized — fake security extensions and image‑upload intermediaries on one hand, and regionally tailored trading, betting and subscription scams on the other. The defensive checklist Kaspersky offers — a mix of visual scrutiny and simple technical checks — is a usable starting point; the rest, the company cautions, is individual vigilance.
