Netcraft Toolbar Help Pages

Frequently Asked Questions

Toolbar Questions

General Questions

What is the Netcraft Toolbar?

The Netcraft anti-phishing system consists of a user interface implemented as a toolbar (a small program that is active whenever the user is using a web browser) and central servers, able to respond quickly to large numbers of requests as each user moves around the web. The central servers are managed by Netcraft and hold the information about URLs and sites provided by the Toolbar community and Netcraft.

I use the Google Toolbar. Can I use the Netcraft Toolbar as well?

Yes. Several people at Netcraft use both the Google and Netcraft Toolbars simultaneously and it seems to be fine.

What if I find a Phishing URL that I cannot report?

There are a number of situations where you will not be able to report a URL directly using the toolbar, including, but not limited to:

If you encounter a URL which you cannot report, please send the entire phishing mail message as a MIME attachment to scam@netcraft.com and we will investigate.

Exactly what types of URL should I report as phishing?

We define a phishing URL as one that is attempting to impersonate a site operated by an organisation with which the victim of the phishing attempt has an existing relationship, in order to obtain passwords or other personal information for use in some type of fraud.

This does not include sites such as fake banks, fake escrow sites, fake online shops, fake courier companies and so on, unless those sites are attempting to impersonate a site operated by a specific real organisation. Even if such sites are attempting to gather personal information or credit card details, we do not count them as phishing sites unless a specific real organisation is being impersonated.

For example, we would block a site attempting to impersonate the site of the First Hawaiian Bank, because the First Hawaiian Bank is a real bank. We would not block a site claiming to be the First National Bank of East Cheam, because that is a fictional bank rather than a fake site impersonating a real bank.

We can only consider sites that we can verify by examining the page content. This excludes parked and unavailable domains which mimic the domain names of real banks and other organisations.

We will also block URLs that return malicious or virus infested executable files, but only if either BitDefender or ClamAV detects a problem with the executable.

How does the Risk Rating work?

The Risk Rating displayed by the Netcraft Toolbar offers a further level of protection against new sites that are not yet in Netcraft's database.

westernpoint

The above example shows a web site used to gather victims for laundering the proceeds of phishing frauds. Although the site contains sumptuously plausible content, the Netcraft Toolbar assigns a high Risk Rating because it is hosted under a newly registered domain, the site has never been seen in the Netcraft Web Server Survey, and the Chinanet Hebei Province network has hosted a number of fraud sites in the past.

Hosting a web site on an unusual port number will also increase the Risk Rating, as will hosting a site from a raw IP address, as many phishing sites employ this tactic. The Risk Rating can be calculated fast enough to be performed for arbitrary sites as people visit them, and does not rely on manual categorization.

Why does the toolbar give my bank a high Risk Rating?

Fraudsters occasionally exploit weaknesses in a bank's own web site to make it appear as if a phishing site is genuinely hosted under the bank's domain name, or a domain of one of its Internet banking sites. Banks that support frauds against their customers in this way are given a higher Risk Rating accordingly. A bank's web site may be exploitable by fraudsters if it exhibits cross-site scripting vulnerabilities or provides open redirects to external web sites.

How is the Risk Rating calculated?

Many factors contribute to the risk rating of each site. The dominant factor for most sites is the age of the domain name in which the site appears. Domain names that have never been seen in the Netcraft Web Server Survey are given a high risk rating, since many phishing sites and relatively few legitimate sites fall into this category.

Other factors which can influence the risk rating include:

Will Netcraft know which pages I visit?

No - Netcraft have no way of knowing which pages you visit when using the Toolbar. We do, however, collect the names of the web sites visited by our users in order to provide popularity ranking information and contextual reports for the site bring browsed.

In order to protect the privacy of organizations' internal networks the Netcraft Toolbar does not transmit information about sites on IANA private addresses.

What does it mean when the toolbar says "New Site"?

new site

"New Site" means the site you are currently visiting has not been seen before by the Netcraft Web Server Survey. This indicates that the site is very new and should be considered less trustworthy than other sites. Since most phishing sites spring up overnight and disappear just as quickly, you should be extremely suspicious if you see this when visiting what you believe to be a trustworthy site.

Why are some Site Report dates in the future?

The "First Seen" date corresponds to the first month in which the site appears in the Netcraft Web Server Survey. Thus, towards the end of a month, it may be possible to see some sites where the "First Seen" date appears to be in the future.

Why are some Site Report values "unknown"?

The Domain Registrar, Organisation, and Nameserver Organisation fields in the Site Report are only maintained for websites with a Site Rank higher than 1 million. Sites not in the top 1 million may display a value of "unknown" if we do not have up-to-date information available.

Why does the Site report list companies unrelated to the site owner?

Many companies do not register their sites directly, but let their ISP to register them on their behalf. Since this makes it hard to find out who is responsible for a particular site, most banks now register their sites directly, under their own name. Also, busy sites distribute their content across many servers, managed by a specialist company like Akamai - if such a company shows in a Site report, it suggests the site is popular but probably not designed to conduct financial transactions.

How does the toolbar cope with DNS poisoning?

The toolbar displays the location of a site's IP address based on the information provided by your computer. If your local DNS cache was "poisoned" such that the Suntrust web site (http://www.suntrust.com) pointed to an IP address located in Russia, then the toolbar would report the site as being located in Russia.

pharming demo

The screenshot depicts a poisoned DNS entry set up to direct www.suntrust.com to the Netcraft web site. The toolbar thus reports that the site is hosted in the UK.

Will the toolbar work if I am using a transparent proxy?

The Netcraft Toolbar functions correctly with ordinary web proxies. A small number of Internet Service Providers (ISPs) use transparent proxies to route your web page requests. This could cause the toolbar to report a web site as belonging to your ISP, however, this is quite a rare occurrence.

How do we find out the Most Visited Web Sites?

Domains visited by the Toolbar community are collected anonymously and used to produce a list of the top 100 most visited websites. These rankings depict an accurate view of the most popular web sites viewed by users of the Netcraft Toolbar.

Which browsers support the Netcraft Toolbar?

The Netcraft Toolbar is available for Mozilla Firefox only: no other web browsers are supported at the moment. If you have upgraded from a version of Firefox which is older than 1.1, you will need to download and install the new toolbar.

I have a problem with the Firefox version of the toolbar

Before reporting any bugs, please ensure that you are using the latest version of the Netcraft Toolbar. Firefox users can check for updates by selecting Tools > Extensions from the Firefox menu and right clicking on the Netcraft Toolbar extension.

How do I uninstall or repair the toolbar?

The Firefox version of the toolbar can be uninstalled using the Firefox Extensions Manager ("Tools" > "Extensions").

Why is the Netcraft Toolbar warning about a safe website?

There are several reasons why you may receive a warning about a website you know to be harmless. The toolbar has several built-in safety checks that will alert you if a URL contains suspicious characters, or a page is possibly susceptible to Cross-Site Scripting (XSS) attacks. In these cases, if you are sure that the website poses no threat, you can ignore the warning by clicking 'Yes' to the warning dialog.

Alternately, the toolbar warning may be a genuine error on our part. If you believe that the toolbar has incorrectly classified a safe site as a phishing attack, you can let us know by using the 'Report Incorrectly Blocked URL' link on the toolbar menu. You can also access the form directly.

The toolbar will only ever warn you about suspicious websites by displaying a warning dialog; it will never cause the site to stop responding or display a 'file not found' page. Please be certain that the toolbar is displaying such a warning before contacting us.

What do I do if the Firefox version of Netcraft Toolbar is 'offline'?

If your toolbar is appearing as 'offline', please try the following solution:

The toolbar should now work as intended.

What is phishing?

Phishing is a name derived from the notion of "fishing for information", and "phreaking", which was an eighties term used for people who hacked phone networks and systems to gain access to free calls, or control over parts of the telephony system. It is a simple concept, which is to try to trick people into disclosing their bank account details, so that the attacker may then log in to the person's Internet bank and withdraw their savings.

Organisations which are not banks, but which have accounts that allow the customer to administer money or other tokens of value are also affected; this includes credit card companies, credit unions, exchanges, and some Internet retail sites. Amazon, PayPal, Visa, and eBay are some non-bank sites that have been attacked to date.

Phishing is a highly scalable and attractive opportunity for fraudsters; many people in the civilised world now have Internet enabled bank accounts, and under normal circumstances they offer a more pleasant and convenient user experience than visiting a bank branch or telephoning a bank call centre. Many businesses also have Internet enabled bank accounts, and a very significant amount of wealth is accessible via web based banking systems, typically protected by a username and password and other textual tokens supplied over the web by the account holder.

The technology required to construct a phishing fraud is minimal. Conventionally, the fraudster constructs an html mail message with forged mail headers indicating that the mail has come from the bank, and asks for the recipient to confirm their bank account username and password. To make the request appear more authentic, the mail usually links to a web server that opens a new window with the bank's own site (not a copy, but the actual site), and asks for the account details in a separate window, hosted on the attacker's server.

There are no publicly available dependable statistics on how many of a bank's customers receiving phishing mails respond to them, but the fact that the largest UK banks have taken their entire banking sites offline during some phishing attacks indicates that the fraudsters are enjoying a non-trivial degree of success. There has been speculation that phishing may drive Internet banking off the Internet until the banks re-engineer their systems to require an additional level of security that cannot be compromised in this fashion, such as a one-time password generated by a SecureID card or equivalent operation.

Who are Netcraft?

Netcraft is an Internet services company based in Bath, England. Netcraft is funded through retained profit and derives its revenue in the following ways:

Netcraft has a cosmopolitan client list, spread through the UK, the USA, mainland Europe, the Middle East, Asia Pacific and Latin America. Clients include British Telecom, Capita, John Lewis, Lloyd's of London, Microsoft, Northern Rock, the 2010 and 2012 Olympic Games, Rackspace, Skype and VeriSign.

http://www.oreillynet.com/pub/wlg/3605
"I've thought for a long time that Netcraft represents a real revolution in market research. Firms like Gartner can tell you what they think people are going to do. Folks like Netcraft can tell you what people are actually doing." Tim O'Reilly, August 2003.

http://dotnet.sys-con.com/node/33855
"It's no surprise that someone of the caliber of Bob Metcalfe, inventor of Ethernet and co-founder of 3com, should have called Netcraft 'cool'." Linuxworld, July 2003.

I have a question that is not answered here. Who do I send it to?

Please send it to toolbar@netcraft.com.


Copyright © Netcraft Ltd. 2012