Netcraft’s Android app now available on the Amazon Appstore

Netcraft's new anti-phishing app, already available in the Google Play store, has just been released to the Amazon Appstore. The iOS app is with Apple for review.

Available at Amazon Appstore Get it on Google Play

Android web browsers lack comprehensive protection against malicious websites, and in most cases only block a small fraction of the sites blocked by their desktop counterparts. The Netcraft app solves this problem by extending our industry-leading phishing protection services to your mobile device. The app equips your Android device with Netcraft's continuously updated feed of phishing websites, and will alert you whenever you visit a site that's included in this blacklist.

The Netcraft app works with the most popular mobile web browsers on Android — including Amazon's Silk browser, Chrome, and Firefox — and other apps, such as Facebook, Twitter, and Slack.

The app's malicious site warning page in Amazon's Silk browser

The app's malicious site warning page in Amazon's Silk browser.

See our original post about the app for more information.

Download the app on Google Play or the Amazon Appstore now to protect yourself from phishing threats on your Android device. Subscribe to our mailing list to be among the first to hear when the Netcraft app for iOS is available, along with other news items from Netcraft.

Netcraft releases anti-phishing app for Android

Netcraft has developed a new anti-phishing app for Android to defend against fraudulent sites. The Netcraft app is available now on Google Play and at the Amazon Appstore. The Netcraft app for iOS is with Apple for review.

Available now on Google Play
Available at Amazon Appstore

Netcraft's new Android app provides rapid protection against phishing threats, with new attacks blocked as soon as they're determined to be fraudulent by Netcraft. It offers free protection during a one-month trial, after which a monthly or annual subscription can be purchased. You can use the app to report phish to Netcraft without a subscription.

Protect yourself from harmful websites; Blocking backed by Netcraft's extensive feed of phishing websites.

Phishing is not confined to the desktop: in an analysis of a month's worth of log files recovered from phishing sites, Netcraft found that two thirds of visits came from mobile browsers. Some fraudsters also add mobile-specific user interfaces to their phishing attacks, making them even more effective against phone and tablet users.

Despite this, mobile browsers lack comprehensive anti-phishing protection, unlike their desktop counterparts. In a study performed last year, Netcraft found that iOS and Android browsers block only a fraction of the sites that are blocked by their desktop equivalents, leaving mobile users more exposed.

The app makes use of Netcraft's industry-leading anti-phishing feed, which is licensed to the leading web browser vendors, as well as anti-virus, firewall, intrusion detection and content filtering companies. Every day Netcraft processes millions of suspicious URLs to identify phishing attacks. Over 56 million unique phishing sites have been detected and blocked by Netcraft’s community to date.

The Netcraft app works with the most popular mobile web browsers on Android – including Chrome and Firefox – and other apps such as Facebook, Twitter, and Slack. In addition to blocking phish across the web, the app automatically detects phishing URLs in SMS messages, and will alert you to the danger with a notification.

Always up-to-date protection with real-time checks against our block list. Easily report phishing sites you encounter.

The app allows you to report phishing websites and SMS phishing attacks to Netcraft with just a few taps, protecting other users and making you part of a global safeguarding community.

Download the app on Google Play now to benefit from Netcraft's comprehensive mobile phishing protection on your Android devices. Desktop browser protection is also available in the Netcraft extension for Firefox, Google Chrome, and Opera. Subscribe to our mailing list to be amongst the first to hear when the Netcraft app for iOS is available, along with other news items from Netcraft.

Major update to Netcraft Anti-Phishing Extension for Firefox

An update to the Netcraft Anti-Phishing Extension for Mozilla Firefox is now available. This release replaces the Toolbar interface with a modern Button interface to sit alongside the browser's address bar.


The upcoming Firefox 57 — to be released on the 14th November — represents a major overhaul of the browser, and removes support for legacy XUL extensions. Future versions of Firefox will only support the new cross-browser WebExtensions API.

The Netcraft Anti-Phishing Extension (known then as the Netcraft Toolbar) was first made available for Internet Explorer in December 2004. A Firefox version followed in May 2005. The current button-style Anti-Phishing Extension was released for Google Chrome and the Opera browser in 2012 and 2013 respectively. The new extension enjoys a 4.5 star rating on the Google Chrome Store.

The Extension runs on any operating system supported by the desktop version of Mozilla Firefox and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited. In particular its key features are:

  • Protection against phishing sites — The Netcraft anti-phishing community is effectively a giant neighbourhood watch scheme, empowering the most alert and most expert members to defend everyone within the community. As soon as the first recipients of a phishing mail report it, we can block it for all users of the extension providing an additional level of protection from Phishing. Netcraft processes reports of fraudulent URLs from a diverse variety of sources and proactively searches for new fraudulent sites.
  • Detailed site reports — simply click the Netcraft logo to access a wealth of information about the sites you visit, helping you to make informed choices about their safety.
  • Risk Ratings — we evaluate the characteristics of the site compared against those depicted by fraudulent sites. The result is a simple visual summary displayed on the site report.
  • Conveniently report suspected phishing & fraudulent sites — At the click of the button you can report suspected web forgeries to Netcraft, helping to protect the community. Netcraft operates an incentive scheme for Phishing site submissions, including iPads, backpacks, mugs, and more... Over 38.4 million phishing sites have been detected and blocked by Netcraft since the anti-phishing service was launched (November 2017).
  • Protection against cross site scripting (XSS) — The extension optionally traps XSS and other suspicious URLs which contain characters highly likely to deceive.

The Extension is available for download from the Firefox add-ons page and requires no special administrator privileges to install. Users of the existing Netcraft Anti-Phishing Toolbar will be upgraded automatically to the latest version.

Versions of the Extension are available for other browsers on the Google Chrome Store and Opera add-ons page.

Customised versions with corporate branding and navigation are also available.

Web Shells: The Criminal’s Control Panel

Web shells are an overlooked aspect of cyber crime and do not attract the level of attention of either phishing or malware. Nevertheless, Netcraft found more than 6,000 web shells during April 2017, which works out at around 1 new shell installation every 5 minutes. When web shells first appeared, the limit of their functionality was to transfer files and execute arbitrary shell commands. However, the best engineered web shells now provide well presented, sophisticated toolkits for diverse crimes, with facilities for password cracking, privilege elevation, network reconnaissance, phishing, spamming and DDoS, not solely available through a web based user interface but also accepting commands as part of a botnet.

An example of the WSO shell

An example of the hugely popular and feature-rich WSO (Web Shell by Orb) shell.

A number of shells offer the creation of a botnet in as little as a click, launching standalone processes that either connect to a command and control server or listen for commands over an insecure TCP connection. Some allow performing port scans to find potentially exploitable services. Others enable fraudsters to schedule denial of service attacks. There are shells dedicated to sending bulk spam emails, testing stolen credentials against popular websites (such as PayPal or Amazon), cracking passwords, and automatically defacing websites. With such a wide array of powerful features, it is unsurprising how popular web shells are with cyber criminals.

The WSO shell offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.

WSO offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.

The prevalence of these backdoors allows easy—and potentially persistent—access to thousands of compromised machines. If the web shell is missed during the webmaster's cleanup after an attack, removing the original phishing or malware content will be in vain, as the fraudster can use the web shell to upload new malicious material, or re-purpose the machine as an accessory to alternative forms of cyber crime.

Continue reading

I went to London and saw the Queen

Pussycat, Pussycat, where have you been? I've been to London and saw the Queen.

Yesterday, I went to the opening of the National Cyber Security Centre by Her Majesty the Queen and HRH the Duke of Edinburgh. This was a more exclusive event than I had expected, and guests outside the NCSC were royalty, ministers, senior civil servants & people running NCSC partner companies.

The NCSC showed our countermeasures system to disrupt malware, phishing and advance fee fraud to guests, though I don't know whether the Queen saw it, as she & Prince Philip had a private viewing of the demonstrations.

I was introduced to the Queen and HRH Duke of Edinburgh, which I hadn't anticipated, and there's a picture from the Royal Family's twitter feed of me telling the Queen (sadly out of the picture to the left) and the Duke of Edinburgh what we do & how it works. I sensed that they liked the notion of counterattacking and disrupting attacks as opposed to passively blocking them. And, although our business is spread all around the world, it felt good to be contributing to something that makes the UK a safer and better place.

HRH the Duke of Edinburgh asks how it works

HRH the Duke of Edinburgh asks how it works

I must say how impressive the Queen and the Duke of Edinburgh are and how good they were with people at the event. At 90 & 95 respectively, few, if any people can have had more experiences and in a world where some of the most powerful elected politicians seem completely frazzled, how urbane & reasonable our monarch appears by contrast.

Counting SSL certificates

The SSL/TLS protocol — used to protect sensitive communication across the internet — combines encryption with authentication, providing a private connection to the intended recipient. To achieve this, SSL certificates bind together a cryptographic key and a domain name, and are digitally-signed by a trusted certificate authority (CA). Commercial CAs compete to sell certificates to the general public and account for the bulk of the SSL certificates seen on the internet.

Netcraft's SSL Server Survey has been running since 1996 and has tracked the evolution of this marketplace from its inception — there are now more than one thousand times more certificates on the web now than in 1996. As CAs issue certificates, and most charge (or not charge) accordingly, the number of certificates issued becomes the natural unit of measurement. Our survey therefore counts valid, trusted SSL certificates used on public-facing web servers, counting each certificate once, even if used on multiple websites.


Two types of certificates make the distinction between counting sites and certificates most apparent: multi-domain certificates and wildcard certificates. These two types now account for almost a quarter of all certificates found.

  • Multi-domain certificates (or UCC certificates) use the Subject Alternative Name extension to specify additional hostnames for which this certificate is valid — CloudFlare uses this technique heavily, having dozens of unrelated sites share the same certificate.
  • Wildcard certificates are valid for all possible subdomains of a domain, for example * would be valid for,,, etc. Our methodology counts a wildcard certificate once, no matter the number of sites for which it is valid.

Netcraft also counts certificates used by subdomains. For example, if, and are all using different SSL certificates, Netcraft will count all three certificates that have been issued.

Although the global SSL ecosystem is competitive, it is dominated by a handful of major CAs — three certificate authorities (Symantec, Comodo and GoDaddy) account for three-quarters of all issued SSL certificates on public-facing web servers. The top spot has been held by Symantec (or VeriSign before it was purchased by Symantec) ever since the survey began, with it currently accounting for just under a third of all certificates. To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use — significantly more than its overall market share.

However, nothing ever stays still forever — Let's Encrypt could shake up the market for SSL certificates later on this year by offering free certificates with a simplified installation process. Whilst free certificates and automated tools are nothing new, the open approach and the backing of Mozilla, IdenTrust, the EFF, and Akamai could change the SSL ecosystem forever.

Beyond counting certificate numbers, Netcraft's SSL Survey also tracks the list and reseller prices of the most popular certificate authorities. This provides another useful market share metric, as it allows us to estimate the total monthly and annual revenue of each certificate authority attributable to public SSL issuance.

As each type of certificate — multi-domain, wildcard, or Extended Validation for example — is available at a distinct price point, the estimated revenue of a CA can vary significantly, despite initially appearing similarly sized by the total number of certificates. For example, GlobalSign comes in third-place when considering its estimated annual revenue (by list price) in 2014, despite accounting for approximately 6% of all currently valid publicly-visible SSL certificates.

For additional information or details on how to purchase Netcraft’s SSL Server Survey please contact us at or visit our web site.