Tutorial - Getting the most from the Netcraft Extension
If an email is apparently from the company which has sponsored your
Extension, then to visit the site, use the links in the Extension itself rather
than any link that you may receive in an electronic mail message. This protects
you against forged mail messages sent to you by fraudsters, where a URL
purporting to be to your bank's site actually links to the fraudsters' site.
The Extension provides you with a wealth of information about the sites you
visit. This information will help you make an informed choice about the
integrity of those sites. Here is a brief list of points you should be aware of
when visiting a site which requires you to enter personal information of any
Look at the Extension to see whether the site's netblock is registered to the company
Look at the country code and flag on the Extension to check that the site is
hosted in the country that you expect. There is a list of countries which are
often used to host fraud sites here.
On websites using SSL, check if
your connection to the website supports
Perfect Forward Secrecy by looking for
the green tick or red cross the Extension displays.
Who is the site's domain registered to? Be suspicious if this is not
the organisation you expect.
Who is running the DNS and reverse DNS for the site? Be suspicious if
these are not run by a host in a domain controlled by the organisation.
How new is the site? All other things being equal, the longer a site has
been around, the more you can trust it. "New Site" means the site you
are currently visiting has not been seen before by the Netcraft Web
Server Survey. This indicates that the site is probably less than one
month old. Phishing sites spring up overnight and disappear just as
quickly, and you should be extremely suspicious if you see this when
visiting what you believe to be a trustworthy site.
Does it have an SSLCertificate? Bank sites
that take authentication details will do this over SSL. Details of the SSL
Certificate (if any) will appear in the site report.
Is the site in the DNS? If the site has no hostname or domain name and
is a raw IP address be very suspicious.
If you are convinced that the site is a phishing site, please report it. If you are unable to report the URL via the
Extension site please send us the entire mail message intact as an attachment.
If you use Outlook you can do this by composing a new mail to firstname.lastname@example.org and dragging the fraud
mail on to it as an attachment.
Netcraft operates an incentive scheme for Phishing site submissions, including iPads, mugs, t-shirts, and more...
Let's take a look at an example. Below is a phishing attack aimed at customers of Halifax
which we received.
Note that the Extension shows that the site is hosted in the USA, at "ServerBeach", and that the site is new. The
real Halifax web site is
hosted in the UK at Halifax & Bank of Scotland.
Comparing the site reports is also telling; the fraudulent site's report contains many 'unknowns' whereas the
site report for the real
Halifax web site shows plausible domain registration and DNS details.
You can find out more about reporting URLs in the tutorial on
reporting a suspicious URL.