Netcraft Extension Help Pages

Frequently Asked Questions

Netcraft Extension Questions

General Questions

What is the Netcraft Extension?

The Netcraft anti-phishing system consists of a user interface implemented as an Extension (a small program that is active whenever the user is using a web browser) and central servers, able to respond quickly to large numbers of requests as each user moves around the web. The central servers are managed by Netcraft and hold the information about URLs and sites provided by the anti-phishing community and Netcraft.

What if I find a Phishing URL that I cannot report?

There are a number of situations where you will not be able to report a URL directly using the Extension, including, but not limited to:

If you encounter a URL which you cannot report, please send the entire phishing mail message as a MIME attachment to and we will investigate.

Exactly what types of URL should I report as phishing?

We define a phishing URL as one that is attempting to impersonate a site operated by an organisation with which the victim of the phishing attempt has an existing relationship, in order to obtain passwords or other personal information for use in some type of fraud.

This does not include sites such as fake banks, fake escrow sites, fake online shops, fake courier companies and so on, unless those sites are attempting to impersonate a site operated by a specific real organisation. Even if such sites are attempting to gather personal information or credit card details, we do not count them as phishing sites unless a specific real organisation is being impersonated.

For example, we would block a site attempting to impersonate the site of the First Hawaiian Bank, because the First Hawaiian Bank is a real bank. We would not block a site claiming to be the First National Bank of East Cheam, because that is a fictional bank rather than a fake site impersonating a real bank.

We can only consider sites that we can verify by examining the page content. This excludes parked and unavailable domains which mimic the domain names of real banks and other organisations.

We will also block URLs that return malicious or virus infested executable files, but only if either BitDefender or ClamAV detects a problem with the executable.

Furthermore, we also accept emails pretending to be from a reputable organisation, which make use of a HTML attachment to collect a victim's details. We refer to these as "drop sites" and they can be reported by forwarding the email to For more information on drop sites please see What are drop sites?.

How does the Risk Rating work?

The Risk Rating displayed by the Netcraft Extension offers a further level of protection against new sites that are not yet in Netcraft's database. A lower risk rating is better as it indicates lower risk.

Risk Rating

Risk rating in the Netcraft Google Chrome and Opera Extensions

Risk Rating

Risk rating in the Netcraft Firefox Extension

Although some sites may contain sumptuously plausible content, the Netcraft Extension may assign a high Risk Rating because it could be hosted under a newly registered domain, the site may have never been seen in the Netcraft Web Server Survey, and the network hosting the site may have hosted a number of fraud sites in the past. Many other factors are also taken into account.

Hosting a web site on an unusual port number will also increase the Risk Rating, as will hosting a site from a raw IP address, as many phishing sites employ this tactic. The Risk Rating can be calculated fast enough to be performed for arbitrary sites as people visit them, and does not rely on manual categorization.

Why does the Extension give my bank a high Risk Rating?

Fraudsters occasionally exploit weaknesses in a bank's own web site to make it appear as if a phishing site is genuinely hosted under the bank's domain name, or a domain of one of its Internet banking sites. Banks that support frauds against their customers in this way are given a higher Risk Rating accordingly. A bank's web site may be exploitable by fraudsters if it exhibits cross-site scripting vulnerabilities or provides open redirects to external web sites.

How is the Risk Rating calculated?

Many factors contribute to the risk rating of each site. The dominant factor for most sites is the age of the domain name in which the site appears. Domain names that have never been seen in the Netcraft Web Server Survey are given a high risk rating, since many phishing sites and relatively few legitimate sites fall into this category.

Other factors which can influence the risk rating include:

Will Netcraft know which pages I visit?

No - Netcraft have no way of knowing which pages an individual user visits when using the Extension. We do, however, collect the hostnames of the websites visited by our users in order to provide website popularity ranking information.

In order to protect the privacy of organizations' internal networks the Netcraft Extension does not transmit information about sites on IANA private addresses. This feature however, is only present on the Firefox version of the Extension.

What does it mean when the Extension says "New Site"?

New Site

"New Site" in the Netcraft Google Chrome and Opera Extensions

New Site

"New Site" in the Netcraft Firefox Extension

"New Site" means the site you are currently visiting has not been seen before by the Netcraft Web Server Survey. This indicates that the site is very new and should be considered less trustworthy than other sites. Since most phishing sites spring up overnight and disappear just as quickly, you should be extremely suspicious if you see this when visiting what you believe to be a trustworthy site.

What is PFS?

PFS, or Perfect Forward Secrecy, is a property of an SSL connection which ensures that previously recorded encrypted traffic cannot be easily decrypted if the SSL private key later becomes available - for example, as a result of a court order, social engineering, an attack against the website or cryptanalysis.


PFS in the Netcraft Google Chrome and Opera Extensions


PFS in the Netcraft Firefox Extension

When you visit a web site which uses SSL, the Extension will detect if it is likely that your web browser has negotiated an SSL cipher suite which supports PFS. It will display a green tick if so, and a red cross if not. Additionally, in the Google Chrome and Opera versions of the Extension, if the connection does not support PFS or is affected by Heartbleed, a warning triangle will be displayed on top of the Netcraft icon, as shown below:

Chrome warning icon

What is SSLv3?

SSL is part of the SSL/TLS protocol family, and is used to provide security to web connections. SSL version 3 is an outdated version of the protocol, which is no longer deemed to be cryptographically secure due to a vulnerability dubbed POODLE. It has been superseded by TLS versions 1.0, 1.1 and 1.2.

When visiting a secure web page, the browser and web server negotiate to use the most secure version of SSL/TLS supported by both parties. In practice, this means that SSLv3 is rarely used to provide security. However, certain browser behaviour allows a man-in-the-middle to downgrade the negotiated protocol to SSLv3, after which they can perform an attack. The Extension indicates whether the web server supports SSLv3, which could mean that a downgrade attack is possible.

More information about the POODLE vulnerability .

What is Heartbleed?

Heartbleed, is the name of a vulnerability in the OpenSSL cryptographic library which at the time of disclosure affected around 17% of SSL web servers using certificates issued by trusted certificate authorities. The vulnerability has the potential to allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server. The cause was a missing bounds check in the handling of the TLS heartbeat extension which can allow remote attackers to view up to 64 kilobytes of memory on an affected server.
Read More.


Heartbleed indicator in the Netcraft Google Chrome and Opera Extensions


Heartbleed indicator in the Netcraft Firefox Extension

When you visit a web site which uses SSL, the Netcraft Extension will detect if the site offered the heartbeat TLS Extension prior to the Heartbleed disclosure using data from the Netcraft SSL Survey. If this is the case the Extension will also check to see if the SSL certificate has been reissued, if it has not then the site is unsafe as the certificate's private key may have been compromised prior to the fix. Even if the certificate has been reissued it does not guarantee the site cannot be impersonated using the old certificate unless it has been revoked. The extension will indicate when a site is unsafe by displaying a bleeding heart icon, which on mouseover displays an explanatory tooltip. Additionally, in the Google Chrome and Opera versions of the Extension, if the server is affected by Heartbleed or does not support PFS, a warning triangle will be displayed on top of the Netcraft icon, as shown below:

Chrome warning icon

Why are some Site Report dates in the future?

The "First Seen" date corresponds to the first month in which the site appears in the Netcraft Web Server Survey. Thus, towards the end of a month, it may be possible to see some sites where the "First Seen" date appears to be in the future.

Why are some Site Report values "unknown"?

The Domain Registrar, Organisation, and Nameserver Organisation fields in the Site Report are only maintained for websites with a Site Rank higher than 1 million. Sites not in the top 1 million may display a value of "unknown" if we do not have up-to-date information available.

Why does the Site report list companies unrelated to the site owner?

Many companies do not register their sites directly, but let their ISP to register them on their behalf. Since this makes it hard to find out who is responsible for a particular site, most banks now register their sites directly, under their own name. Also, busy sites distribute their content across many servers, managed by a specialist company like Akamai - if such a company shows in a Site report, it suggests the site is popular but probably not designed to conduct financial transactions.

How does the Extension cope with DNS poisoning?

The Extension displays the location of a site's IP address based on the information provided by your computer. If your local DNS cache was "poisoned" such that the a web site pointed to an IP address located in Russia, then the Extension would report the site as being located in Russia.

Will the Extension work if I am using a transparent proxy?

The Netcraft Extension functions correctly with ordinary web proxies. A small number of Internet Service Providers (ISPs) use transparent proxies to route your web page requests. This could cause the Extension to report a web site as belonging to your ISP, however, this is quite a rare occurrence.

How do we find out the Most Visited Web Sites?

Domains visited by the anti-phishing community are collected anonymously and used to produce a list of the top 100 most visited websites. These rankings depict an accurate view of the most popular web sites viewed by users of the Netcraft Extension.

Which browsers support the Netcraft Extension?

The Netcraft Extension is available for Mozilla Firefox, Google Chrome and Opera, no other web browsers are supported at the moment. If you have upgraded from a version of Firefox which is older than 1.1, you will need to download and install the new Extension.

I have a problem with the Netcraft Extension

Before reporting any bugs, please ensure that you are using the latest version of the Netcraft Extension. In Firefox users can check for updates by selecting Tools > Extensions from the Firefox menu and right clicking on the Netcraft Extension. In Google Chrome and Opera the same can be done by navigating to the extensions page and clicking on "Update extensions now". If the bug persists please report it here.

How do I uninstall or repair the Extension?

The Firefox version of the Extension can be uninstalled using the Firefox Extensions Manager ("Tools" > "Extensions").

The Google Chrome version of the Extension can be uninstalled using the Chrome Extensions Manager ("Tools" > "Extensions").

The Opera version of the extension can be uninstalled using the Opera Extensions manager ("Opera" > "Extensions").

Why is the Netcraft Extension warning about a safe website?

There are several reasons why you may receive a warning about a website you know to be harmless. The Extension has several built-in safety checks that will alert you if a URL contains suspicious characters, or a page is possibly susceptible to Cross-Site Scripting (XSS) attacks. In these cases, if you are sure that the website poses no threat, you can ignore the warning by clicking 'Yes' to the warning dialog.

Alternately, the Extension warning may be a genuine error on our part. If you believe that the Extension has incorrectly classified a safe site as a phishing attack, you can let us know by using the 'Report Incorrectly Blocked URL' link on the Extension menu. You can also access the form directly.

The Extension will only ever warn you about suspicious websites by displaying a warning dialog; it will never cause the site to stop responding or display a 'file not found' page. Please be certain that the Extension is displaying such a warning before contacting us.

What do I do if the Firefox version of Netcraft Extension is 'offline'?

If your Extension is appearing as 'offline', please try the following solution:

The Extension should now work as intended.

What is phishing?

Phishing is a name derived from the notion of "fishing for information", and "phreaking", which was an eighties term used for people who hacked phone networks and systems to gain access to free calls, or control over parts of the telephony system. It is a simple concept, which is to try to trick people into disclosing their bank account details, so that the attacker may then log in to the person's Internet bank and withdraw their savings.

Organisations which are not banks, but which have accounts that allow the customer to administer money or other tokens of value are also affected; this includes credit card companies, credit unions, exchanges, and some Internet retail sites. Amazon, PayPal, Visa, and eBay are some non-bank sites that have been attacked to date.

Phishing is a highly scalable and attractive opportunity for fraudsters; many people in the civilised world now have Internet enabled bank accounts, and under normal circumstances they offer a more pleasant and convenient user experience than visiting a bank branch or telephoning a bank call centre. Many businesses also have Internet enabled bank accounts, and a very significant amount of wealth is accessible via web based banking systems, typically protected by a username and password and other textual tokens supplied over the web by the account holder.

The technology required to construct a phishing fraud is minimal. Conventionally, the fraudster constructs an html mail message with forged mail headers indicating that the mail has come from the bank, and asks for the recipient to confirm their bank account username and password. To make the request appear more authentic, the mail usually links to a web server that opens a new window with the bank's own site (not a copy, but the actual site), and asks for the account details in a separate window, hosted on the attacker's server.

There are no publicly available dependable statistics on how many of a bank's customers receiving phishing mails respond to them, but the fact that the largest UK banks have taken their entire banking sites offline during some phishing attacks indicates that the fraudsters are enjoying a non-trivial degree of success. There has been speculation that phishing may drive Internet banking off the Internet until the banks re-engineer their systems to require an additional level of security that cannot be compromised in this fashion, such as a one-time password generated by a SecureID card or equivalent operation.

What are drop sites?

One technique phishers use is to ask the victim to fill in an attached HTML form. This form submits the victim's details to a page under the attacker's control. This page then processes the information and sometimes redirects the victim to the target's real website to prevent the victim becoming suspicious.

We refer to this type of phishing attack as a "drop site". It is called a drop site because the only publicly accessible URL is a page into which the victim's details are "dropped".

Fraudsters use this technique as it is perceived as being more difficult for anti-phishing groups to automatically detect - usually the only publicly accessible page just processes the victim's details and provides no clue as to its true nature. Some drop sites redirect to the target's real website, this merits suspicion to anti-phishing groups, but does not provide enough evidence for them to block it.

Netcraft does however accept these reports, but only when accompanied with the original phishing email. For this reason, please forward the original drop site phishing email (including the HTML attachment) to where we can analyse the report in detail and determine if it is phishing.

Who are Netcraft?

Netcraft is an Internet services company based in Bath, England. Netcraft is funded through retained profit and derives its revenue in the following ways:

Netcraft has a cosmopolitan client list, spread through the UK, the USA, mainland Europe, the Middle East, Asia Pacific and Latin America. Clients include British Telecom, Capita, John Lewis, Lloyd's of London, Microsoft, Northern Rock, the 2010 and 2012 Olympic Games, Rackspace, Skype and VeriSign.
"I've thought for a long time that Netcraft represents a real revolution in market research. Firms like Gartner can tell you what they think people are going to do. Folks like Netcraft can tell you what people are actually doing." Tim O'Reilly, August 2003.
"It's no surprise that someone of the caliber of Bob Metcalfe, inventor of Ethernet and co-founder of 3com, should have called Netcraft 'cool'." Linuxworld, July 2003.

I have a question that is not answered here. Who do I send it to?

Please send it to