Development of a Firefox version of the toolbar is underway, and started just before Xmas. We will make it available as soon as we can.
Filtering of some suspicious characters was too aggressive and actually blocked some urls on benign sites including Google and Amazon. We have made an update to the toolbar which will propagate during the course of today.
Thanks for all the reports of phishing sites. If you would like to evangelize the toolbar, encourage friends and relatives that you think might be vulnerable to phishing attacks to use the Toolbar, so that that maximum number of people receive the benefit of these timely reports.
If your preferred desktop operating system can’t run the Toolbar until a Firefox version is available, you can report phishing sites directly http://toolbar.netcraft.com/report_url
Anandtech and Wininformant quickly published reviews of the toolbar yesterday, here and here. There was also some television coverage in the US.
Everyone here is delighted by your enthusiasm and encouragement.
The Netcraft Toolbar
uses Netcraft's databases of web site information to show you all the attributes of each site you visit on the Web, including the site's hosting location, country, longevity and popularity. The Toolbar is compatible with Microsoft Internet Explorer, and a FireFox version is underway.
Installing the Netcraft Toolbar
Downloading and installing the Netcraft Toolbar is quick and simple:
Follow this link to download the toolbar.
When you see a prompt asking if you want to open the file or save it to
your computer, press the "Open" button.
The Netcraft Toolbar Setup Wizard will now appear. Follow the on-screen
prompts to install the toolbar.
Open Internet Explorer and click the right-hand mouse button over the
In the menu that appears, ensure that there is a tick next to the
'Netcraft Toolbar' item. If there is not, click the left-hand mouse button
over the item and the toolbar should appear.
Using the Toolbar Effectively
The Netcraft Toolbar provides you with constantly updated information about
the sites you visit as well as blocking dangerous sites
Once the toolbar is installed, Internet Explorer should look similar to this:
As you can see, the site used in this example is http://toolbar.netcraft.com.
When you visit a site, the following information will be displayed in the toolbar (unless the page has been blocked, like this one):
- The "rank" (popularity amongst toolbar users) of the site, linking to the top site listings.
- A link to the site report for the current site.
- The flag (if available) and the two-letter ISO code for the country in which the site is hosted; in this case it is hosted in [UK] (United Kingdom).
- The name of the netblock on which the site is hosted (in this case, the Rackspace.com Netblock). This also links to a listing of sites on the same netblock.
If you attempt to visit a page that has been blocked, you will see a warning dialog which looks similar to this:
Getting the Most from the Netcraft Toolbar
Let's take a look at an example. Below is a phishing attack aimed at customers of SunTrust Banks
which we received.
The toolbar provides you with a wealth of information about the sites you
visit. This information will help you make an informed choice about the
integrity of those sites. Here is a brief list of points you should be aware of
when visiting a site which requires you to enter personal information of any
Look at the toolbar to see whether the site's netblock is registered to the company
Look at the country code and flag on the Toolbar to check that the site is
hosted in the country that you expect. There is a list of countries which are
often used to host fraud sites here.
Request a site report on the site:
- Who is the site's domain registered to? Be suspicious if this is not
the organisation you expect.
- Who is running the DNS and reverse DNS for the site? Be suspicious if
these are not run by a host in a domain controlled by the organisation.
- How new is the site? All other things being equal, the longer a site has
been around, the more you can trust it. "New Site" means the site you
are currently visiting has not been seen before by the Netcraft Web
Server Survey. This indicates that the site is probably less than one
month old. Phishing sites spring up overnight and disappear just as
quickly, and you should be extremely suspicious if you see this when
visiting what you believe to be a trustworthy site.
- Does it have an SSL
Certificate? Bank sites
that take authentication details will do this over SSL. Details of the SSL
Certificate (if any) will appear in the site report.
- Is the site in the DNS? If the site has no hostname or domain name and
is a raw IP address be very suspicious.
If you are convinced that the site is a phishing site, please report it. If you are unable to report the URL via the
toolbar site, please send us the entire mail message intact as an attachment.
If you use Outlook you can do this by composing a new mail to firstname.lastname@example.org and dragging the fraud
mail on to it as an attachment.
Netcraft will send a reward to the first person to report each new
Note that the Toolbar shows that the site is hosted in the USA, at "Inktomi Corporation", and that the site is new. The
real SunTrust web site is
hosted in the USA at SunTrust Service Corporation.
Comparing the site reports is also telling; the fraudulent site's report contains many 'unknowns' whereas the
site report for the real
SunTrust web site shows plausible domain registration and DNS details.
You can find out more about reporting URLs in the tutorial on
reporting a suspicious URL.
Reporting a Suspicious URL
When you visit a page that you believe to be a phishing site, or contains
fraudulent or deceptive content, we ask that you report it so that other
toolbar users will benefit from your vigilance. The more sites that are
reported, the more useful the toolbar will become for everyone.
You can report a URL by clicking on "Report a Phishing Site" in the toolbar menu, accessed by clicking on the Netcraft logo:
After you report a URL, Netcraft analysts will examine the report and
block the page if they find it has inappropriate content.
You can practice blocking an attack by:
- Requesting a sample of a fictional phishing attack mail.
- Visiting the URL contained in the mail that you receive.
- Click on the Netcraft logo in the toolbar.
- Select "Report a Phishing Site" in the menu that appears.
- URLs from fictional phishing attack mails will be blocked automatically.
- You can test that the URL has been blocked by re-visiting it after reporting.
The Netcraft Toolbar uses Netcraft's enormous databases of web site information to show you all the attributes of each site you visit on the Web, including the sites' hosting location, country, longevity and popularity.
It also mobilizes the Netcraft community into a giant neighbourhood watch scheme to empower the most alert and experienced members to protect the vulnerable against fraud and phishing attacks.
Toolbar features include:
Clear display of sites' hosting location at all times helps you validate fraudulent urls (e.g. the main online banking site of a large US bank is unlikely to be hosted in the former Soviet Union).
Once you report a phishing URL, it is blocked for other community members subsequently accessing it. The leverage of widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) is utilized to expedite blocking of the fraud site.
Natively traps cross site scripting and other suspicious urls containing characters which have no common purpose other than to deceive.
Netcraft supervisor validation is used to contain the impact of any false reporting of urls.
Display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls to disguise location.
Happily coexists with Google and other Toolbars.
The Netcraft Toolbar is available now. Please download and try out the toolbar, and let us have your opinions.
If you would like to have a version of the Netcraft Toolbar branded for
your organisation, please get in touch.
The toolbar can be used to keep your site navigation within view of your customers throughout the time they spend using the web. Dynamically updating navigation provides the facility to change urls or menu structure and bring & new and temporal information to customers' attention at any time.
With just hours left before Microsoft discontinues most support for Windows NT4, many blue-chip companies and e-commerce providers continue to run their web sites on the eight year old operating system, although the last Fortune 100 holdout has migrated.
Microsoft has retired NT4, which was introduced in September 1996, and will cease security updates on Dec. 31, along with pay-per-incident support. Microsoft recently said it will offer only custom support on to users of Windows NT 4.0 Server after Jan. 1. As a result, the number of holdouts running web sites on NT4 has been dwindling. Only 1.4 percent of web-facing hostnames run on Windows NT4/98, according to this month's Web Server Survey, down from 5.3 percent at the start of 2003.
Retail chain Kroger was the last remaining Fortune 100 company on Windows NT4, but is now serving its site on Windows Server 2003 (IIS6) while using NetBSD for front-end caching or load balancing.
The UK's FTSE 100 is not as far along, with six member companies still using NT4, following retailer Next PLC's Christmas Eve upgrade to Windows Server 2003. While Britain's banks have urged customers to update their computers, several large financial firms (including Lloyds TSB, Legal & General and F&C Asset Management) continue to run their public web sites on Windows NT4. Other FTSE 100 firms continuing to use NT4 include Tomkins, Allied Dome and BB&G.
Another NT4 user is Diebold, the security firm whose systems are widely used in bank cash machines and electronic voting.
Netcraft monitors over 23K hostnames for the top 1.5K Enterprises (Fortune 1K, FT European 500, FT Asia Pacific, FT Japan, FT Eastern Europe) on a monthly basis, providing details of web technology. Contact us for details of the commercial dataset.
Thousands of servers hosting phpBB
forums have been defaced today by a worm
that exploits a security hole in the popular bulletin board program.
The Santy worm is written in Perl, and exploits a flaw in a file called viewtopic.php that allows an SQL injection exploit, in which SQL database commands typed into a web form can be executed. The worm defaces the web site with the phrase "This site is defaced!!! NeverEver NoSanity" and then seeks out other phpBB sites to attack, apparently using Google to locate the target viewtopic.php files. A Google search for the file currently returns more than 4 million results, while an MSN search lists more than 37,000 appearances of the defacement. Internet security firms are issuing public requests for Google to block these searches to limit the spread of the worm.
In a bold bid to raise its brand awareness beyond the web hosting community, Go Daddy
will purchase a Super Bowl ad, a tactic once seen as a symbol of dot-com excess. Advertising time for the Feb. 6 NFL football championship game costs $2.4 million for a 30-second spot.
Go Daddy has experienced explosive growth in 2004, ending the year with 2.9 million web-facing hostnames, as measured by our Hosting Provider Switching Analysis. It also expanded aggressively into shared hosting and SSL certificates. But its leadership in the domain business hasn't given the Scottsdale, Ariz. provider the name recognition of Yahoo or Interland, two of its chief competitors in the small business hosting market.
"We have the best value proposition of any registrar ... We didn't understand why everybody doesn't do business with us," Go Daddy CEO Bob Parsons told Clickz.com. "We commissioned some market research six months ago, took a hard look at people who aren't doing business with us, and concluded that they aren't aware of us. So what better way to enter (an awareness campaign) than to use the Super Bowl?"