Netcraft Extension Help Pages

Frequently Asked Questions

Netcraft Extension Questions

General Questions

What is the Netcraft Extension?

The Netcraft anti-phishing system consists of a user interface implemented as an Extension (a small program that is active whenever the user is using a web browser) and central servers, able to respond quickly to large numbers of requests as each user moves around the web. The central servers are managed by Netcraft and hold the information about URLs and sites provided by the anti-phishing community and Netcraft.

What if I find a Phishing URL that I cannot report?

There are a number of situations where you will not be able to report a URL directly using the Extension, including, but not limited to:

If you encounter a URL which you cannot report, please send the entire phishing mail message as a MIME attachment to and we will investigate.

Exactly what types of URL should I report as phishing?

We define a phishing URL as one that is attempting to impersonate a site operated by an organisation with which the victim of the phishing attempt has an existing relationship, in order to obtain passwords or other personal information for use in some type of fraud.

This does not include sites such as fake banks, fake escrow sites, fake online shops, fake courier companies and so on, unless those sites are attempting to impersonate a site operated by a specific real organisation. Even if such sites are attempting to gather personal information or credit card details, we do not count them as phishing sites unless a specific real organisation is being impersonated.

For example, we would block a site attempting to impersonate the site of the First Hawaiian Bank, because the First Hawaiian Bank is a real bank. We would not block a site claiming to be the First National Bank of East Cheam, because that is a fictional bank rather than a fake site impersonating a real bank.

We can only consider sites that we can verify by examining the page content. This excludes parked and unavailable domains which mimic the domain names of real banks and other organisations.

We will also block URLs that return malicious or virus infested executable files, but only if either BitDefender or ClamAV detects a problem with the executable.

Additionally, we will also block web shells, which are often installed on compromised servers and used to further compromise that server. Servers with web shells often have a large number of phishing sites, as the web shell makes it simple to install new phishing sites.

Furthermore, we also accept emails pretending to be from a reputable organisation, which make use of a HTML attachment to collect a victim's details. We refer to these as "drop sites" and they can be reported by forwarding the email to For more information on drop sites please see What are drop sites?.

How does the Risk Rating work?

The Risk Rating displayed by the Netcraft Extension offers a further level of protection against new sites that are not yet in Netcraft's database. A lower risk rating is better as it indicates lower risk.

Risk Rating

Risk rating in the Netcraft Google Chrome and Opera Extensions

Risk Rating

Risk rating in the Netcraft Firefox Extension

Although some sites contain entirely benign content, the Netcraft Extension may assign a high Risk Rating because it could be hosted under a newly registered domain, the site may have never been seen in the Netcraft Web Server Survey before, or the network hosting the site may have hosted a number of fraud sites in the past. Many other factors are also taken into account.

Hosting a web site on an unusual port number will also increase the Risk Rating, as will hosting a site from a raw IP address, as many phishing sites employ this tactic. The Risk Rating can be calculated fast enough to be performed for arbitrary sites as people visit them, and does not rely on manual categorization.

Why does the Extension give my bank a high Risk Rating?

Fraudsters occasionally exploit weaknesses in a bank's own web site to make it appear as if a phishing site is genuinely hosted under the bank's domain name, or a domain of one of its Internet banking sites. Banks that support frauds against their customers in this way are given a higher Risk Rating accordingly. A bank's web site may be exploitable by fraudsters if it exhibits cross-site scripting vulnerabilities or provides open redirects to external web sites.

How is the Risk Rating calculated?

Many factors contribute to the risk rating of each site. The dominant factor for most sites is the age of the domain name in which the site appears. Domain names that have never been seen in the Netcraft Web Server Survey are given a high risk rating, since many phishing sites and relatively few legitimate sites fall into this category.

Other factors which can influence the risk rating include:

Will Netcraft know which pages I visit?

No — Netcraft has no way of knowing which pages an individual user visits when using the Extension. We do, however, collect the hostnames of the websites visited by our users in order to provide website popularity ranking information.

In order to protect the privacy of organizations' internal networks, the Netcraft Extension does not transmit information about sites on IANA private addresses. This feature, however, is only present in the Firefox version of the Extension.

What does it mean when the Extension says "New Site"?

New Site

"New Site" in the Netcraft Google Chrome and Opera Extensions

New Site

"New Site" in the Netcraft Firefox Extension

"New Site" means the site you are currently visiting has not been seen before by the Netcraft Web Server Survey. This indicates that the site is very new and should be considered less trustworthy than other sites. Since most phishing sites spring up overnight and disappear just as quickly, you should be extremely suspicious if you see this when visiting what you believe to be a trustworthy site.

What is PFS?

PFS, or Perfect Forward Secrecy, is a property of an SSL connection which ensures that previously recorded encrypted traffic cannot be easily decrypted if the SSL private key later becomes available — for example, as a result of a court order, social engineering, an attack against the website or cryptanalysis.


PFS in the Netcraft Google Chrome and Opera Extensions


PFS in the Netcraft Firefox Extension

When you visit a web site which uses SSL, the Extension will detect if it is likely that your web browser has negotiated an SSL cipher suite which supports PFS. It will display a green tick if so, and a red cross if not. Additionally, in the Google Chrome and Opera versions of the Extension, if the connection does not support PFS or is affected by Heartbleed, a warning triangle will be displayed on top of the Netcraft icon, as shown below:

Chrome warning icon

What is SSLv3?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both designed to provide security to web connections. TLS is the successor protocol to SSL, though both are often referred to as "SSL". The last version of SSL was SSL version 3 (SSLv3), which is no longer deemed to be secure due to a vulnerability dubbed POODLE. Similarly, TLS version 1.0 is also no longer considered to be secure, as some implementations are vulnerable to POODLE, and cryptographic vulnerabilities have been found in the underlying RC4 cipher. All versions of SSL, and TLS 1.0 have been superseded by TLS 1.1 and 1.2, the latter of which is the current recommendation.

When visiting a secure web page, the browser and web server negotiate to use the most secure version of SSL/TLS supported by both parties. In practice, this means that SSLv3 is rarely used to provide security. However, certain browser behaviour allows a man-in-the-middle to downgrade the negotiated protocol to SSLv3 or TLS 1.0, after which they can perform an attack. The Extension indicates whether the web server supports SSLv3, which could mean that a downgrade attack is possible.

More information about the POODLE vulnerability.

What is Heartbleed?

Heartbleed is the name of a vulnerability in the OpenSSL cryptographic library which at the time of disclosure affected around 17% of SSL web servers using certificates issued by trusted certificate authorities. The vulnerability has the potential to allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server. The cause was a missing bounds check in the handling of the TLS heartbeat extension which can allow remote attackers to view up to 64 kilobytes of memory on an affected server.
Read More.


Heartbleed indicator in the Netcraft Google Chrome and Opera Extensions


Heartbleed indicator in the Netcraft Firefox Extension

When you visit a web site which uses SSL, the Netcraft Extension will detect if the site offered the heartbeat TLS Extension prior to the Heartbleed disclosure using data from the Netcraft SSL Survey. If this is the case the Extension will also check to see if the SSL certificate has been reissued, if it has not then the site is unsafe as the certificate's private key may have been compromised prior to the fix. Even if the certificate has been reissued it does not guarantee the site cannot be impersonated using the old certificate unless it has been revoked. The extension will indicate when a site is unsafe by displaying a bleeding heart icon, which on mouseover displays an explanatory tooltip. Additionally, in the Google Chrome and Opera versions of the Extension, if the server is affected by Heartbleed or does not support PFS, a warning triangle will be displayed on top of the Netcraft icon, as shown below:

Chrome warning icon

Why are some Site Report dates in the future?

The "First Seen" date corresponds to the first month in which the site appears in the Netcraft Web Server Survey. Thus, towards the end of a month, it may be possible to see some sites where the "First Seen" date appears to be in the future.

Why are some Site Report values "unknown"?

The Domain Registrar, Organisation, and Nameserver Organisation fields in the Site Report are only maintained for websites with a Site Rank higher than 1 million. Sites not in the top 1 million may display a value of "unknown" if we do not have up-to-date information available.

Why does the Site report list companies unrelated to the site owner?

Many people and organisations do not host their own websites directly, but instead use a variety of third-parties to provide their website and associated services. One common technique for high-volume websites is to use a Content Delivery Network, or CDN, such as Cloudflare, Akamai, or Level 3. Also, the site report may list companies such as hosting providers, domain registrars, the Internet Service Provider (ISP) that provides the IP address, and more. Most, if not all, of this information can be found in publicly available sources.

How does the Extension cope with DNS poisoning?

The Extension displays the location of a site's IP address based on the information provided by your computer. If your local DNS cache was "poisoned" such that the a web site pointed to an IP address located in Russia, then the Extension would report the site as being located in Russia.

Will the Extension work if I am using a transparent proxy?

The Netcraft Extension functions correctly with ordinary web proxies. A small number of Internet Service Providers (ISPs) use transparent proxies to route your web page requests. This could cause the Extension to report a web site as belonging to your ISP, however, this is quite a rare occurrence.

How do we find out the Most Visited Web Sites?

Domains visited by the anti-phishing community are collected anonymously and used to produce a list of the top 100 most visited websites. These rankings depict an accurate view of the most popular web sites viewed by users of the Netcraft Extension.

Which browsers support the Netcraft Extension?

The Netcraft Extension is available for Mozilla Firefox, Google Chrome and Opera; no other web browsers are supported at this time. If you have upgraded from a version of Firefox which is older than 1.1, you will need to download and install the new Extension.

I have a problem with the Netcraft Extension

Before reporting any bugs, please ensure that you are using the latest version of the Netcraft Extension. In Firefox users can check for updates by selecting Tools > Extensions from the Firefox menu and right clicking on the Netcraft Extension. In Google Chrome and Opera the same can be done by navigating to the extensions page and clicking on "Update extensions now". If the bug persists please report it here.

How do I uninstall or repair the Extension?

The Firefox version of the Extension can be uninstalled using the Firefox Extensions Manager (Firefox Menu > "Add-ons" > "Extensions").

The Google Chrome version of the Extension can be uninstalled using the Chrome Extensions Manager. (Google Chrome Menu > "More tools" > "Extensions").

The Opera version of the extension can be uninstalled using the Opera Extensions manager (Opera Menu > "Extensions" > "Manage Extensions").

Why is the Netcraft Extension warning about a safe website?

There are several reasons why you may receive a warning about a website you know to be harmless. The Extension has several built-in safety checks that will alert you if a URL contains suspicious characters, or a page is possibly susceptible to Cross-Site Scripting (XSS) attacks. In these cases, if you are sure that the website poses no threat, you can ignore the warning by clicking 'Yes' to the warning dialog.

Alternately, the Extension warning may be a genuine error on our part. If you believe that the Extension has incorrectly classified a safe site as a phishing attack, you can let us know by using the 'Report Incorrectly Blocked URL' link on the Extension menu. You can also access the form directly.

The Extension will only ever warn you about suspicious websites by displaying a warning dialog; it will never cause the site to stop responding or display a 'file not found' page. Please be certain that the Extension is displaying such a warning before contacting us.

What do I do if the Firefox version of Netcraft Extension is 'offline'?

If your Extension is appearing as 'offline', please try the following solution:

The Extension should now work as intended.

What is phishing?

Phishing is a name derived from the notion of "fishing for information", and "phreaking", which is a term used to describe hacking phone networks and systems to gain access to free calls, or control over parts of the telephony system. Phishing is a simple concept, which is to try to trick people into disclosing account details of one form or another, so that the attacker may then log in to that person's online account and carry out malicious actions, ranging from selling the details on, to withdrawing savings from Internet bank accounts.

Organisations which are not banks, but which have accounts that allow the customer to administer money or other tokens of value are also affected; this includes credit card companies, credit unions, exchanges, and some Internet retail sites. Amazon, PayPal, Visa, and eBay are some non-bank sites that have been attacked to date.

Phishing is a highly scalable and attractive opportunity for fraudsters; many people across the world now have Internet enabled bank accounts, and under normal circumstances they offer a more pleasant and convenient user experience than visiting a bank branch or telephoning a bank call centre. Many businesses also have Internet enabled bank accounts, and thus a very significant amount of wealth is accessible via web based banking systems, typically protected by a username and password and other secrets, which are supplied over the World Wide Web by the account holder.

The technology required to construct a phishing fraud is minimal. Conventionally, the fraudster constructs an html mail message with forged mail headers indicating that the mail has come from the bank, and asks for the recipient to confirm their bank account username and password. To make the request appear more authentic, the site opened by clicking on the link in the email will often be copied directly from the official site, changing only where the login details are sent. Sometimes, phishing sites may use or redirect to a Data URI or Punycode domain, which may appear, even to the experienced user, to be an official website.

There are no publicly available dependable statistics on how many of a bank's customers receiving phishing mails respond to them, but the fact that the largest UK banks have taken their entire banking sites offline during some phishing attacks indicates that the fraudsters are enjoying a non-trivial degree of success. Many companies have adjusted their systems so as to require additional secrets from their users in order to login, for example:

What are drop sites?

One technique phishers use is to ask the victim to fill in an attached HTML form. This form submits the victim's details to a page under the attacker's control. This page then processes the information and sometimes redirects the victim to the target's real website to prevent the victim becoming suspicious.

We refer to this type of phishing attack as a "drop site". It is called a drop site because the only publicly accessible URL is a page into which the victim's details are "dropped".

Fraudsters use this technique as it is perceived as being more difficult for anti-phishing groups to automatically detect — usually the only publicly accessible page just processes the victim's details and provides no clue as to its true nature. Some drop sites redirect to the target's real website, this merits suspicion to anti-phishing groups, but does not provide enough evidence for them to block it.

Netcraft does however accept these reports, but only when accompanied with the original phishing email. For this reason, please send the original phishing email, as an attachment to where we can analyse the report in detail and determine if it is phishing.

Who are Netcraft?

Netcraft is an internet services company based in Bath, England. Netcraft is funded through retained profit and derives its revenue in the following ways:

Netcraft has a cosmopolitan client list, spread through the UK, the USA, mainland Europe, the Middle East, Asia Pacific and Latin America. Clients include BNP Paribas, British Telecom, Capita, Cisco, Datapipe, Intel, Kaspersky, MercadoLibre, Microsoft, the 2010 and 2012 Olympic Games, Rackspace, Skype, Symantec, and IBM/Softlayer.
"I've thought for a long time that Netcraft represents a real revolution in market research. Firms like Gartner can tell you what they think people are going to do. Folks like Netcraft can tell you what people are actually doing." Tim O'Reilly, August 2003.
"It's no surprise that someone of the caliber of Bob Metcalfe, inventor of Ethernet and co-founder of 3com, should have called Netcraft 'cool'." Linuxworld, July 2003.

I have a question that is not answered here. Who do I send it to?

Please send it to