Fair Use: Please note that use of the Netcraft site is
subject to our Fair Use and Copyright policies. For more information,
please visit http://www.netcraft.com/about-netcraft/fair-use-copyright/,
or email email@example.com.
As of 1st June 2010, the Netcraft Toolbar community has helped to block over 3 million phishing attacks worldwide. We incentivise phishing reports from the Toolbar community, and have now added the iPad to our list of incentives:
(after 100 validated phishing reports)
Netcraft Polo Shirt
Targus Laptop Backpack
On reaching 5,000 validated reports you become eligible for a monthly competition to incentivise large reporters.
The Netcraft Toolbar, which is available for Firefox, serves as a giant neighbourhood watch scheme for the Internet. Members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the attack URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.
Changes to Netcraft phishing report processing:
Until recently we have rejected reports for URLs which were already blocked by the Netcraft Toolbar. We now accept reports on URLs which are already blocked if the phishing URL targets a different company to any previously accepted reports.
For example, if we receive a report of a phishing URL at http://[example-domain]/directory/paypal targeting PayPal customers and we decide to block all URLs beginning with http://[example-domain]/directory/ a subsequent report of the URL http://[example-domain-here]/directory/HSBC targeting HSBC customers will now be accepted even though access to that URL is already blocked by our Toolbar.
Each accepted report counts towards your incentives. Therefore, when you see a site with multiple phishing URLs targeting multiple companies, please report them all!
Netcraft has developed a dataset which tracks the changes in the hosting locations of the million busiest websites. Each month we determine the busiest sites by the number of visits from users of the Netcraft Toolbar. This is then combined with detailed hosting information gathered by our Web Server Survey, and compared with the equivalent information from the previous month.
Many sites' location will be unchanged, but some will have moved from one hosting provider to another during the course of the month. Additionally, hosting companies may gain new sites that were not previously in the top million, and lose sites which are no longer present.
The dataset gives a guide to the market share of companies hosting the sites responsible for the great majority of web traffic, and is largely uninfluenced by parked domains, personal sites, shared hosting accounts or the majority of blogs.
Excerpts from March to April 2010
Peer1 Networks Inc
iWeb Technologies Inc
iomart group plc
Gains from Not Ranked indicate that a site has entered in to the top million this month. Losses from Not Ranked indicate that the site is no longer in the top million.
Although the top 1000 sites are concentrated amongst the web superpowers, Google, Microsoft, Yahoo and eBay, the hosting locations of the top million sites are widely fragmented, with a little over 3.25% sufficient for top spot.
An advantage of this dataset over the Hosting Provider Switching Analysis is the ability to analyse movement between competing hosting providers on a per-site basis. With this feature, current and previous hosting locations, netblock, operating system and server software for each site is shown.
As of 1st January 2009, the Netcraft Toolbar community has blocked 1.9 million phishing attacks. To provide an incentive for the community to send us reports of phishing sites, reporters now receive the following goodies from Netcraft:
Upon reaching 4,000 you become eligible for a monthly competition to incentivise large reporters.
To track the progress, we have a leaderboard displaying the people with the largest number of accepted reports so far this month, identified by their first names to preserve their anonymity.
The Netcraft Toolbar, which is available for both Internet Explorer and Firefox, serves as a giant neighborhood watch scheme for the Internet: members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.
Looking back at 2008, Netcraft has seen phishing attacks evolve, with fraudsters using progressively sneakier tactics:
October 2008 saw an attack against Yahoo! which was used to steal authentication cookies from its users. The cross-site scripting vulnerability on Yahoo!'s own website allowed the fraudster to steal the details simply as a result of a victim visiting the page.
The two-edged nature of how browsers present Extended Validation (EV) SSL certificates was highlighted after a cross-site scripting vulnerability was demonstrated on paypal.com. This flaw would have allowed hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.
Phishers branched out into telephone phishing. Victims were asked to phone a toll free number to reactivate their card.
Fraudsters found a cross-site scripting vulnerability on an Italian bank's website. This was used to orchestrate an attack against the bank, using its own HTTPS website URL.
The Netcraft Toolbar is available for the Firefox 3 web browser. The Netcraft Toolbar offers protection against phishing by using Netcraft's phishing database to block known phishing sites and provides a convenient mechanism for reporting newly discovered phishing sites.
In addition to blocking known phishing sites, the Netcraft Toolbar also displays a Risk Rating for all new sites it encounters. The Risk Rating — a user-friendly visual summary of the information displayed by the toolbar — evaluates new sites against characteristics of the phishing sites reported to date. Sites which are deemed safe will show a low Risk Rating, while riskier sites will show higher ratings based on a number of factors. To make it easier to judge whether you wish to continue browsing a site, the toolbar also shows which country and netblock the site is hosted in, and when the site was first seen.
Knowing which country a site is hosted in can help you spot risky content and highlight DNS poisoning attempts – if your US online banking site suddenly appears to be hosted in Russia, that would give good cause to be suspicious.
Some countries attract a large number of phishing incidents, often due to lax security or the increased likelihood of phishing sites staying around for longer. One particularly notable example is Cameroon, where the number of phishing attacks has exceeded the total number of sites hosted in that country. Netcraft publishes statistics on the phishiest countries in the world. You can also see how popular a site is with Netcraft's site rank.
A detailed site report shows further information about each site, including the web server's uptime:
Win an iPod
Netcraft gives away iPods to the top five reporters of validated phishing sites. A leaderboard tracks the top reporters for each monthly competition.
When you visit a page that you believe to be a phishing site, reporting it to Netcraft will allow other toolbar users to benefit from your vigilance. After you report a URL, Netcraft will review the report and block the page if it is confirmed to be part of a phishing incident.
UPDATE: Google have announced that iGoogle will be deprecated therefore these gadgets are no longer available for download.
Netcraft has released a collection of 3 gadgets that can be added to your personalized Google homepage.
What's that site running?
The What's That Site Running gadget gives convenient access to Netcraft's Web Server Query service, and will let you find out everything there is to know about a web site, such as where it is hosted, and what software it is running.
The Netcraft News gadget displays the latest news on web security, phishing and web hosting. This gadget can be configured to display the date and short article summaries.
Report a phishing site
The Report a Phishing Site gadget allows you to submit suspected phishing sites to Netcraft. The gadget can remember your name and email address, so each time you stumble upon a new phishing site, all you have to do is enter the fraudulent URL and the reason for it being reported. All accepted submissions are placed into the monthly iPod contest, where the top 5 reporters will win a top-of-the-range iPod.
Netcraft has adopted the Mirror Image content distribution network for the Netcraft Toolbar, with all of the toolbar requests now carried over the Mirror Image network.
The deployment of a global caching system brings faster and more consistent response times to people using the toolbar throughout the world. Additionally it helps the toolbar system scale smoothly, as the numbers of people using the toolbar have grown quickly since the release of the Firefox version of the toolbar in May.
Mirror Image’s system provides a substantial performance improvement as shown by the response time for the toolbar with Mirror Image (blue), compared to before (green):
Mirror Image's global content caching and distribution network has provided perceptible improvements in response times for the toolbar throughout the world. The toolbar's response time, as measured by our monitors in seven data centers, had been averaging 0.29 seconds. The shift to Mirror Image has accelerated performance, reducing the toolbar's average response time to 0.12 seconds, with reductions of between 47 and 74 percent from various points around the globe.
The toolbar community is effectively a giant neighborhood watch scheme, in which the most alert and expert members act to defend the larger community of users against phishing frauds. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL. Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner.
The Phishing Site Feed is also available to ISPs and Enterprises who wish to protect their customers or employees against phishing.