Netcraft Toolbar Help Pages

Frequently Asked Questions

Toolbar Questions

General Questions

What is the Netcraft Toolbar?

The Netcraft anti-phishing system consists of a user interface implemented as a toolbar (a small program that is active whenever the user is using a web browser) and central servers, able to respond quickly to large numbers of requests as each user moves around the web. The central servers are managed by Netcraft and hold the information about URLs and sites provided by the Toolbar community and Netcraft.

I use the Google Toolbar. Can I use the Netcraft Toolbar as well?

Yes. Several people at Netcraft use both the Google and Netcraft Toolbars simultaneously and it seems to be fine.

Why can't I use the MSN toolbar and the Netcraft Toolbar?

We have found that one of the components of the MSN toolbar has compatibility issues with the Netcraft toolbar. this component can be disabled with no apparent negative repercussions.

To disable this component,

Netcraft is actively investigating this problem. This incompatibility will be addressed in a future release of the Netcraft Toolbar.

What if I find a Phishing URL that I cannot report?

There are a number of situations where you will not be able to report a URL directly using the toolbar, including, but not limited to:

If you encounter a URL which you cannot report, please send the entire phishing mail message as a MIME attachment to scam@netcraft.com and we will investigate.

Exactly what types of URL should I report as phishing?

We define a phishing URL as one that is attempting to impersonate a site operated by an organisation with which the victim of the phishing attempt has an existing relationship, in order to obtain passwords or other personal information for use in some type of fraud.

This does not include sites such as fake banks, fake escrow sites, fake online shops, fake courier companies and so on, unless those sites are attempting to impersonate a site operated by a specific real organisation. Even if such sites are attempting to gather personal information or credit card details, we do not count them as phishing sites unless a specific real organisation is being impersonated.

For example, we would block a site attempting to impersonate the site of the First Hawaiian Bank, because the First Hawaiian Bank is a real bank. We would not block a site claiming to be the First National Bank of East Cheam, because that is a fictional bank rather than a fake site impersonating a real bank.

We can only consider sites that we can verify by examining the page content. This excludes parked and unavailable domains which mimic the domain names of real banks and other organisations.

We will also block URLs that return malicious or virus infested executable files, but only if either BitDefender or ClamAV detects a problem with the executable.

How does the Risk Rating work?

The Risk Rating displayed by the Netcraft Toolbar offers a further level of protection against new sites that are not yet in Netcraft's database.

westernpoint

The above example shows a web site used to gather victims for laundering the proceeds of phishing frauds. Although the site contains sumptuously plausible content, the Netcraft Toolbar assigns a high Risk Rating because it is hosted under a newly registered domain, the site has never been seen in the Netcraft Web Server Survey, and the Chinanet Hebei Province network has hosted a number of fraud sites in the past.

Hosting a web site on an unusual port number will also increase the Risk Rating, as will hosting a site from a raw IP address, as many phishing sites employ this tactic. The Risk Rating can be calculated fast enough to be performed for arbitrary sites as people visit them, and does not rely on manual categorization.

Why does the toolbar give my bank a high Risk Rating?

Fraudsters occasionally exploit weaknesses in a bank's own web site to make it appear as if a phishing site is genuinely hosted under the bank's domain name, or a domain of one of its Internet banking sites. Banks that support frauds against their customers in this way are given a higher Risk Rating accordingly. A bank's web site may be exploitable by fraudsters if it exhibits cross-site scripting vulnerabilities or provides open redirects to external web sites.

How is the Risk Rating calculated?

Many factors contribute to the risk rating of each site. The dominant factor for most sites is the age of the domain name in which the site appears. Domain names that have never been seen in the Netcraft Web Server Survey are given a high risk rating, since many phishing sites and relatively few legitimate sites fall into this category.

Other factors which can influence the risk rating include:

Will Netcraft know which pages I visit?

No - Netcraft have no way of knowing which pages you visit when using the Toolbar. We do, however, collect the names of the web sites visited by our users in order to provide popularity ranking information and contextual reports for the site bring browsed.

In order to protect the privacy of organizations' internal networks the Netcraft Toolbar does not transmit information about sites on IANA private addresses, or for sites in the Local intranet zone (Internet Explorer version only.)

What does it mean when the toolbar says "New Site"?

new site

"New Site" means the site you are currently visiting has not been seen before by the Netcraft Web Server Survey. This indicates that the site is very new and should be considered less trustworthy than other sites. Since most phishing sites spring up overnight and disappear just as quickly, you should be extremely suspicious if you see this when visiting what you believe to be a trustworthy site.

Why are some Site Report dates in the future?

The "First Seen" date corresponds to the first month in which the site appears in the Netcraft Web Server Survey. Thus, towards the end of a month, it may be possible to see some sites where the "First Seen" date appears to be in the future.

Why does the Site report list companies unrelated to the site owner?

Many companies do not register their sites directly, but let their ISP to register them on their behalf. Since this makes it hard to find out who is responsible for a particular site, most banks now register their sites directly, under their own name. Also, busy sites distribute their content across many servers, managed by a specialist company like Akamai - if such a company shows in a Site report, it suggests the site is popular but probably not designed to conduct financial transactions.

How does the toolbar cope with DNS poisoning?

The toolbar displays the location of a site's IP address based on the information provided by your computer. If your local DNS cache was "poisoned" such that the Suntrust web site (http://www.suntrust.com) pointed to an IP address located in Russia, then the toolbar would report the site as being located in Russia.

pharming demo

The screenshot depicts a poisoned DNS entry set up to direct www.suntrust.com to the Netcraft web site. The toolbar thus reports that the site is hosted in the UK.

Will the toolbar work if I am using a transparent proxy?

The Netcraft Toolbar functions correctly with ordinary web proxies. A small number of Internet Service Providers (ISPs) use transparent proxies to route your web page requests. This could cause the toolbar to report a web site as belonging to your ISP, however, this is quite a rare occurrence.

How do we find out the Most Visited Web Sites?

Domains visited by the Toolbar community are collected anonymously and used to produce a list of the top 100 most visited websites. These rankings depict an accurate view of the most popular web sites viewed by users of the Netcraft Toolbar.

What do I do when the toolbar/address bar is displayed incorrectly?

The display of the toolbar, address bar and other elements of Internet Explorer can sometimes become confused and may overlap or be otherwise obscured. This can be fixed by:

  1. Right-click on the toolbar area and ensure that the menu option "Lock the Toolbars" does not have a tick next to it. This may require selecting the option to toggle it off. IE Toolbars
  2. Once the toolbars are unlocked, a "grab bar" will appear to the left of each browser element that can be moved. Click on these and drag the bars to arrange them as you wish. Grab Bar
  3. Right-click again on the toolbar area and select "Lock the Toolbars" to prevent them from being accidentally moved after you have arranged them. Lock toolbars

How can I make the Netcraft Toolbar coexist on the same line as other toolbars?

Using the Internet Explorer version of Netcraft Toolbar, select the Options item from the Netcraft menu and use the Toolbar Display Width slider to reduce the size of the toolbar. This will allow the toolbar to fit on the same line as other toolbar, providing you have enough screen space to accommodate the resized toolbar. You will need to restart the browser after changing this setting.

Which browsers support the Netcraft Toolbar?

The Netcraft Toolbar is available for Microsoft Internet Explorer and Mozilla Firefox. No other web browsers are supported at the moment. Two downloads are available for Firefox - one for version 1.1 or greater, and one for earlier versions. If you have upgraded from a version of Firefox which is older than 1.1, you will need to download and install the new toolbar.

How can I help diagnose toolbar beta problems?

If you would like to assist us in diagnosing the cause of any problem associated with the Internet Explorer version of the toolbar, please follow this procedure:

  1. Determine whether the problem still remains after a reboot of the machine
  2. Use Regedit to set the following registry key (as REG_SZ):
    HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Settings\Debug = "1"
  3. Reproduce the error to create the debug log
  4. Email the contents of "C:\Documents and Settings\your_login\Local Settings\Application Data\Netcraft\Toolbar\blocked.log" to toolbar@netcraft.com. This file may contain details of URLs which you have previously visited, so you may wish to empty the file before reproducing the error.

If you are having problems with the Firefox version of the toolbar, try the following:

  1. If the toolbar immediately tries to remove itself, simply install it again over the top of the old version.
  2. If the toolbar does not show up, check it is enabled in the View > Toolbars menu.
  3. In the unexpected event of Firefox not starting up after installing the Netcraft Toolbar, run Firefox in safe mode, remove the offending extensions and try again.

I have a problem with the Firefox version of the toolbar

Before reporting any bugs, please ensure that you are using the latest version of the Netcraft Toolbar. Firefox users can check for updates by selecting Tools > Extensions from the Firefox menu and right clicking on the Netcraft Toolbar extension.

How do I uninstall or repair the toolbar?

The Internet Explorer version of the toolbar can be removed by selecting the Uninstall Toolbar option from the Netcraft Toolbar menu.

uninstall

You may now uninstall the toolbar by following the on screen prompts. You can also repair an installation of the toolbar by selecting the Repair Netcraft Toolbar option.

uninstall

The Firefox version of the toolbar can be uninstalled using the Firefox Extensions Manager ("Tools" > "Extensions").

Why is the Netcraft Toolbar warning about a safe website?

There are several reasons why you may receive a warning about a website you know to be harmless. The toolbar has several built-in safety checks that will alert you if a URL contains suspicious characters, or a page is possibly susceptible to Cross-Site Scripting (XSS) attacks. In these cases, if you are sure that the website poses no threat, you can ignore the warning by clicking 'Yes' to the warning dialog.

Alternately, the toolbar warning may be a genuine error on our part. If you believe that the toolbar has incorrectly classified a safe site as a phishing attack, you can let us know by using the 'Report Incorrectly Blocked URL' link on the toolbar menu. You can also access the form directly.

The toolbar will only ever warn you about suspicious websites by displaying a warning dialog; it will never cause the site to stop responding or display a 'file not found' page. Please be certain that the toolbar is displaying such a warning before contacting us.

How can I stop the Toolbar warning me about a site I trust?

Please note that the toolbar does not prevent access to websites - the toolbar only ever warns about sites and allows you to make the decision whether to continue.

If the Toolbar warns you about a site that you trust then it is likely that the site is using techniques which are indistinguishable from a cross-site scripting (XSS) attack. Since the toolbar recognises such techniques, you will be presented with a warning. Feel free to ignore the warning if you are sure that the site is safe.

You can prevent the toolbar from presenting such warnings in the future by adding the site to your "Trusted sites" or "Intranet zone", accessible from the Tools -> Options menu in Internet Explorer and clicking on the Security tab. You should be careful when adding sites to your Trusted Sites list as this enables other features of Internet Explorer for that site which may be a security risk. You should only add a site to your Trusted Sites list if you are confident that the site and its content are entirely trustworthy. You may want to increase the security level of your trusted sites zone.

For more information about Trusted Sites see http://support.microsoft.com/kb/174360.

What do I do if the Firefox version of Netcraft Toolbar is 'offline'?

If your toolbar is appearing as 'offline', please try the following solution:

The toolbar should now work as intended.

What is phishing?

Phishing is a name derived from the notion of "fishing for information", and "phreaking", which was an eighties term used for people who hacked phone networks and systems to gain access to free calls, or control over parts of the telephony system. It is a simple concept, which is to try to trick people into disclosing their bank account details, so that the attacker may then log in to the person's Internet bank and withdraw their savings.

Organisations which are not banks, but which have accounts that allow the customer to administer money or other tokens of value are also affected; this includes credit card companies, credit unions, exchanges, and some Internet retail sites. Amazon, PayPal, Visa, and eBay are some non-bank sites that have been attacked to date.

Phishing is a highly scalable and attractive opportunity for fraudsters; many people in the civilised world now have Internet enabled bank accounts, and under normal circumstances they offer a more pleasant and convenient user experience than visiting a bank branch or telephoning a bank call centre. Many businesses also have Internet enabled bank accounts, and a very significant amount of wealth is accessible via web based banking systems, typically protected by a username and password and other textual tokens supplied over the web by the account holder.

The technology required to construct a phishing fraud is minimal. Conventionally, the fraudster constructs an html mail message with forged mail headers indicating that the mail has come from the bank, and asks for the recipient to confirm their bank account username and password. To make the request appear more authentic, the mail usually links to a web server that opens a new window with the bank's own site (not a copy, but the actual site), and asks for the account details in a separate window, hosted on the attacker's server.

There are no publicly available dependable statistics on how many of a bank's customers receiving phishing mails respond to them, but the fact that the largest UK banks have taken their entire banking sites offline during some phishing attacks indicates that the fraudsters are enjoying a non-trivial degree of success. There has been speculation that phishing may drive Internet banking off the Internet until the banks re-engineer their systems to require an additional level of security that cannot be compromised in this fashion, such as a one-time password generated by a SecureID card or equivalent operation.

Who are Netcraft?

Netcraft is an Internet services company based in Bath, England. Netcraft is funded through retained profit and derives its revenue in the following ways:

Netcraft has a cosmopolitan client list, spread through the UK, the USA, mainland Europe, the Middle East, Asia Pacific and Latin America. Clients include Aegon, American Express, AMP, Britannic, British Telecom, Cable & Wireless, Capita, Credit Suisse, Dell, Deloitte & Touche, Energis, Elsevier Science, GCHQ, Hewlett Packard, IBM, Intel, Interland, John Lewis, Lloyds of London, Macromedia, Microsoft, Morgan Stanley, Northern Rock, Oracle, Rackspace, Securicor, Sun Microsystems, Verisign, Virgin, Visa, and Vodafone.

http://www.oreillynet.com/pub/wlg/3605
"I've thought for a long time that Netcraft represents a real revolution in market research. Firms like Gartner can tell you what they think people are going to do. Folks like Netcraft can tell you what people are actually doing." Tim O'Reilly, August 2003.

http://linux.sys-con.com/story/33855.htm
"It's no surprise that someone of the caliber of Bob Metcalfe, inventor of Ethernet and co-founder of 3com, should have called Netcraft 'cool'." Linuxworld, July 2003.

I have a question that is not answered here. Who do I send it to?

Please send it to toolbar@netcraft.com.


Copyright © Netcraft Ltd. 2004-8