Frequently Asked Questions
Netcraft Extension Questions
- What is the Netcraft Extension?
- What if I find a URL that I cannot report?
- Exactly what types of URL should I report as phishing?
- Will Netcraft know which pages I visit?
- How does the Risk Rating work?
- Why does the Extesion give my bank a high Risk Rating?
- How is the Risk Rating calculated?
- What does it mean when the Extension says "New Site"?
- What is PFS?
- What is SSLv3?
- What is Heartbleed?
- Why are some Site Report dates in the future?
- Why are some Site Report values "unknown"?
- Why does the Site report list companies unrelated to the site owner?
- How does the Extension cope with DNS poisoning?
- Will the Extension work if I am using a transparent proxy?
- How do we find out the Most Visited Web Sites?
- Which browsers support the Netcraft Extension?
- I have a problem with the Netcraft Extension.
- How do I uninstall or repair the Extension?
- Why is the Netcraft Extension warning about a safe website?
- What do I do if the Firefox version of Netcraft Extension is 'offline'?
- What is phishing?
- What are drop sites?
- Who are Netcraft?
- I have a question that is not answered here. Who do I send it to?
The Netcraft anti-phishing system consists of a user interface implemented as an Extension (a small program that is active whenever the user is using a web browser) and central servers, able to respond quickly to large numbers of requests as each user moves around the web. The central servers are managed by Netcraft and hold the information about URLs and sites provided by the anti-phishing community and Netcraft.
There are a number of situations where you will not be able to report a URL directly using the Extension, including, but not limited to:
- The URL is in a popup window that has been blocked.
- The page redirects to another location.
If you encounter a URL which you cannot report, please send the entire phishing mail message as a MIME attachment to email@example.com and we will investigate.
We define a phishing URL as one that is attempting to impersonate a site operated by an organisation with which the victim of the phishing attempt has an existing relationship, in order to obtain passwords or other personal information for use in some type of fraud.
This does not include sites such as fake banks, fake escrow sites, fake online shops, fake courier companies and so on, unless those sites are attempting to impersonate a site operated by a specific real organisation. Even if such sites are attempting to gather personal information or credit card details, we do not count them as phishing sites unless a specific real organisation is being impersonated.
For example, we would block a site attempting to impersonate the site of the First Hawaiian Bank, because the First Hawaiian Bank is a real bank. We would not block a site claiming to be the First National Bank of East Cheam, because that is a fictional bank rather than a fake site impersonating a real bank.
We can only consider sites that we can verify by examining the page content. This excludes parked and unavailable domains which mimic the domain names of real banks and other organisations.
Furthermore, we also accept emails pretending to be from a reputable organisation, which make use of a HTML attachment to collect a victim's details. We refer to these as "drop sites" and they can be reported by forwarding the email to firstname.lastname@example.org. For more information on drop sites please see What are drop sites?.
The Risk Rating displayed by the Netcraft Extension offers a further level of protection against new sites that are not yet in Netcraft's database. A lower risk rating is better as it indicates lower risk.
Risk rating in the Netcraft Google Chrome and Opera Extensions
Risk rating in the Netcraft Firefox Extension
Although some sites may contain sumptuously plausible content, the Netcraft Extension may assign a high Risk Rating because it could be hosted under a newly registered domain, the site may have never been seen in the Netcraft Web Server Survey, and the network hosting the site may have hosted a number of fraud sites in the past. Many other factors are also taken into account.
Hosting a web site on an unusual port number will also increase the Risk Rating, as will hosting a site from a raw IP address, as many phishing sites employ this tactic. The Risk Rating can be calculated fast enough to be performed for arbitrary sites as people visit them, and does not rely on manual categorization.
Fraudsters occasionally exploit weaknesses in a bank's own web site to make it appear as if a phishing site is genuinely hosted under the bank's domain name, or a domain of one of its Internet banking sites. Banks that support frauds against their customers in this way are given a higher Risk Rating accordingly. A bank's web site may be exploitable by fraudsters if it exhibits cross-site scripting vulnerabilities or provides open redirects to external web sites.
Many factors contribute to the risk rating of each site. The dominant factor for most sites is the age of the domain name in which the site appears. Domain names that have never been seen in the Netcraft Web Server Survey are given a high risk rating, since many phishing sites and relatively few legitimate sites fall into this category.
Other factors which can influence the risk rating include:
- Any other known phishing sites in the same domain.
- Whether a hostname or a numeric IP address is used in the URL.
- Whether or not a port number appears in the URL.
- The hosting ISP's history with respect to phishing sites.
- The hosting country's history with respect to phishing sites.
- The top level domain's history with respect to phishing sites.
- The site's popularity with Netcraft Extension users.
No - Netcraft have no way of knowing which pages an individual user visits when using the Extension. We do, however, collect the hostnames of the websites visited by our users in order to provide website popularity ranking information.
In order to protect the privacy of organizations' internal networks the Netcraft Extension does not transmit information about sites on IANA private addresses. This feature however, is only present on the Firefox version of the Extension.
"New Site" in the Netcraft Google Chrome and Opera Extensions
"New Site" in the Netcraft Firefox Extension
"New Site" means the site you are currently visiting has not been seen before by the Netcraft Web Server Survey. This indicates that the site is very new and should be considered less trustworthy than other sites. Since most phishing sites spring up overnight and disappear just as quickly, you should be extremely suspicious if you see this when visiting what you believe to be a trustworthy site.
PFS, or Perfect Forward Secrecy, is a property of an SSL connection which ensures that previously recorded encrypted traffic cannot be easily decrypted if the SSL private key later becomes available - for example, as a result of a court order, social engineering, an attack against the website or cryptanalysis.
PFS in the Netcraft Google Chrome and Opera Extensions
PFS in the Netcraft Firefox Extension
When you visit a web site which uses SSL, the Extension will detect if it is likely that your web browser has negotiated an SSL cipher suite which supports PFS. It will display a green tick if so, and a red cross if not. Additionally, in the Google Chrome and Opera versions of the Extension, if the connection does not support PFS or is affected by Heartbleed, a warning triangle will be displayed on top of the Netcraft icon, as shown below:
SSL is part of the SSL/TLS protocol family, and is used to provide security to web connections. SSL version 3 is an outdated version of the protocol, which is no longer deemed to be cryptographically secure due to a vulnerability dubbed POODLE. It has been superseded by TLS versions 1.0, 1.1 and 1.2.
When visiting a secure web page, the browser and web server negotiate to use the most secure version of SSL/TLS supported by both parties. In practice, this means that SSLv3 is rarely used to provide security. However, certain browser behaviour allows a man-in-the-middle to downgrade the negotiated protocol to SSLv3, after which they can perform an attack. The Extension indicates whether the web server supports SSLv3, which could mean that a downgrade attack is possible.
is the name of a vulnerability in the OpenSSL cryptographic library
which at the time of disclosure affected around 17% of SSL web servers using certificates issued by trusted certificate authorities.
The vulnerability has the potential to allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server.
The cause was a missing bounds check in the handling of the TLS heartbeat extension which can allow remote attackers to view up to 64 kilobytes of memory on an affected server.
Heartbleed indicator in the Netcraft Google Chrome and Opera Extensions
Heartbleed indicator in the Netcraft Firefox Extension
When you visit a web site which uses SSL, the Netcraft Extension will detect if the site offered the heartbeat TLS Extension prior to the Heartbleed disclosure using data from the Netcraft SSL Survey. If this is the case the Extension will also check to see if the SSL certificate has been reissued, if it has not then the site is unsafe as the certificate's private key may have been compromised prior to the fix. Even if the certificate has been reissued it does not guarantee the site cannot be impersonated using the old certificate unless it has been revoked. The extension will indicate when a site is unsafe by displaying a bleeding heart icon, which on mouseover displays an explanatory tooltip. Additionally, in the Google Chrome and Opera versions of the Extension, if the server is affected by Heartbleed or does not support PFS, a warning triangle will be displayed on top of the Netcraft icon, as shown below:
The "First Seen" date corresponds to the first month in which the site appears in the Netcraft Web Server Survey. Thus, towards the end of a month, it may be possible to see some sites where the "First Seen" date appears to be in the future.
The Domain Registrar, Organisation, and Nameserver Organisation fields in the Site Report are only maintained for websites with a Site Rank higher than 1 million. Sites not in the top 1 million may display a value of "unknown" if we do not have up-to-date information available.
Many companies do not register their sites directly, but let their ISP to register them on their behalf. Since this makes it hard to find out who is responsible for a particular site, most banks now register their sites directly, under their own name. Also, busy sites distribute their content across many servers, managed by a specialist company like Akamai - if such a company shows in a Site report, it suggests the site is popular but probably not designed to conduct financial transactions.
The Extension displays the location of a site's IP address based on the information provided by your computer. If your local DNS cache was "poisoned" such that the a web site pointed to an IP address located in Russia, then the Extension would report the site as being located in Russia.
The Netcraft Extension functions correctly with ordinary web proxies. A small number of Internet Service Providers (ISPs) use transparent proxies to route your web page requests. This could cause the Extension to report a web site as belonging to your ISP, however, this is quite a rare occurrence.
Domains visited by the anti-phishing community are collected anonymously and used to produce a list of the top 100 most visited websites. These rankings depict an accurate view of the most popular web sites viewed by users of the Netcraft Extension.
The Netcraft Extension is available for Mozilla Firefox, Google Chrome and Opera, no other web browsers are supported at the moment. If you have upgraded from a version of Firefox which is older than 1.1, you will need to download and install the new Extension.
Before reporting any bugs, please ensure that you are using the latest version of the Netcraft Extension. In Firefox users can check for updates by selecting Tools > Extensions from the Firefox menu and right clicking on the Netcraft Extension. In Google Chrome and Opera the same can be done by navigating to the extensions page and clicking on "Update extensions now". If the bug persists please report it here.
The Firefox version of the Extension can be uninstalled using the Firefox Extensions Manager ("Tools" > "Extensions").
The Google Chrome version of the Extension can be uninstalled using the Chrome Extensions Manager ("Tools" > "Extensions").
The Opera version of the extension can be uninstalled using the Opera Extensions manager ("Opera" > "Extensions").
There are several reasons why you may receive a warning about a website you know to be harmless. The Extension has several built-in safety checks that will alert you if a URL contains suspicious characters, or a page is possibly susceptible to Cross-Site Scripting (XSS) attacks. In these cases, if you are sure that the website poses no threat, you can ignore the warning by clicking 'Yes' to the warning dialog.
Alternately, the Extension warning may be a genuine error on our part. If you believe that the Extension has incorrectly classified a safe site as a phishing attack, you can let us know by using the 'Report Incorrectly Blocked URL' link on the Extension menu. You can also access the form directly.
The Extension will only ever warn you about suspicious websites by displaying a warning dialog; it will never cause the site to stop responding or display a 'file not found' page. Please be certain that the Extension is displaying such a warning before contacting us.
If your Extension is appearing as 'offline', please try the following solution:
- Type "about:config" into the address bar and press return.
- Type "browser.offline" into the "Filter:" field.
- Right-click on the "browser.offline" item in the list, and click on "Toggle" to set this value to "false".
- Close the tab.
The Extension should now work as intended.
Phishing is a name derived from the notion of "fishing for information", and "phreaking", which was an eighties term used for people who hacked phone networks and systems to gain access to free calls, or control over parts of the telephony system. It is a simple concept, which is to try to trick people into disclosing their bank account details, so that the attacker may then log in to the person's Internet bank and withdraw their savings.
Organisations which are not banks, but which have accounts that allow the customer to administer money or other tokens of value are also affected; this includes credit card companies, credit unions, exchanges, and some Internet retail sites. Amazon, PayPal, Visa, and eBay are some non-bank sites that have been attacked to date.
Phishing is a highly scalable and attractive opportunity for fraudsters; many people in the civilised world now have Internet enabled bank accounts, and under normal circumstances they offer a more pleasant and convenient user experience than visiting a bank branch or telephoning a bank call centre. Many businesses also have Internet enabled bank accounts, and a very significant amount of wealth is accessible via web based banking systems, typically protected by a username and password and other textual tokens supplied over the web by the account holder.
The technology required to construct a phishing fraud is minimal. Conventionally, the fraudster constructs an html mail message with forged mail headers indicating that the mail has come from the bank, and asks for the recipient to confirm their bank account username and password. To make the request appear more authentic, the mail usually links to a web server that opens a new window with the bank's own site (not a copy, but the actual site), and asks for the account details in a separate window, hosted on the attacker's server.
- Hosted at a company that is paid to ignore complaints about the scam; unscrupulous hosting locations in Asia and the former Soviet Union sell "bullet proof hosting" as a service, meaning that they will endeavour to keep the site running despite requests to close it down from outside of their own jurisdiction. A server involved in an attack on Barclays was hosted in Moscow and stayed up for at least a week after the phishing attack first started.
- Hosted on a machine that the attacker has broken into, without the owner's knowledge.
- Hosted at a bona fide web hosting company; phishing sites hosted at reasonably reputable hosting companies will be taken down quickly once complaints arrive.
There are no publicly available dependable statistics on how many of a bank's customers receiving phishing mails respond to them, but the fact that the largest UK banks have taken their entire banking sites offline during some phishing attacks indicates that the fraudsters are enjoying a non-trivial degree of success. There has been speculation that phishing may drive Internet banking off the Internet until the banks re-engineer their systems to require an additional level of security that cannot be compromised in this fashion, such as a one-time password generated by a SecureID card or equivalent operation.
One technique phishers use is to ask the victim to fill in an attached HTML form. This form submits the victim's details to a page under the attacker's control. This page then processes the information and sometimes redirects the victim to the target's real website to prevent the victim becoming suspicious.
We refer to this type of phishing attack as a "drop site". It is called a drop site because the only publicly accessible URL is a page into which the victim's details are "dropped".
Fraudsters use this technique as it is perceived as being more difficult for anti-phishing groups to automatically detect - usually the only publicly accessible page just processes the victim's details and provides no clue as to its true nature. Some drop sites redirect to the target's real website, this merits suspicion to anti-phishing groups, but does not provide enough evidence for them to block it.
Netcraft does however accept these reports, but only when accompanied with the original phishing email. For this reason, please forward the original drop site phishing email (including the HTML attachment) to email@example.com where we can analyse the report in detail and determine if it is phishing.
Netcraft is an Internet services company based in Bath, England. Netcraft is funded through retained profit and derives its revenue in the following ways:
- Providing network security services, including application testing and automated penetration testing.
- Providing research data and analysis on many aspects of the Internet. Netcraft has explored the Internet since 1995 and is a respected authority on the market share of web servers, operating systems, hosting providers, ISPs, encrypted transactions, electronic commerce, scripting languages and content technologies on the Internet.
Netcraft has a cosmopolitan client list, spread through the UK, the USA, mainland Europe, the Middle East, Asia Pacific and Latin America. Clients include British Telecom, Capita, John Lewis, Lloyd's of London, Microsoft, Northern Rock, the 2010 and 2012 Olympic Games, Rackspace, Skype and VeriSign.
"I've thought for a long time that Netcraft represents a real revolution in market research. Firms like Gartner can tell you what they think people are going to do. Folks like Netcraft can tell you what people are actually doing." Tim O'Reilly, August 2003.
"It's no surprise that someone of the caliber of Bob Metcalfe, inventor of Ethernet and co-founder of 3com, should have called Netcraft 'cool'." Linuxworld, July 2003.
Please send it to firstname.lastname@example.org.