Netcraft Anti-Phishing Toolbar
by Chris Taylor
probably received them - emails from eBay, PayPal,
Citizens Bank, or whatever - that ask you to come to the
web site to correct some problem. Maybe there was a
security problem and they need you to verify activity on
your account. Or maybe there were billing problems and
they need your account information updated.
The trouble is - the email didn't come from that company.
And when you click the handy link in the email, you are
taken to a web site that looks like the legit site, but
is run by thieves out to steal your money. If you make
the mistake of actually logging into the site, you have
just given some miscreant all the information they need
to log onto the legitimate site and empty your accounts.
That email was a phish. And the site you went to was a
phishing site. For a more complete description of
phishing, see http://toolbar.netcraft.com/help/faq/index.html#phishing.
Identifying phishing emails
Most phishing emails are really easy for me to identify.
I don't have an account with eBay, PayPal, Barklays Bank,
etc. so when I see them, I know they are not legitimate.
But what if I was an eBay user? Some of these emails look
pretty good. Who knows, it might be legit. A quick trip
to the security center at eBay found, "eBay will not
ask you to provide sensitive information such as eBay
passwords, social security numbers and credit card
numbers through email." Phishing has become so
commonplace that, in fact, only a very foolish company
would actually send out such an email.
OK, so maybe you don't see any evidence saying the
company doesn't send out emails like that. And you think
it might be a legitimate email. How can you be sure?
First, never trust a link provided in an email. If the
email is formatted in HTML, the text you see in the email
could be deceptive. While the visible text might say https://www.paypal.com/cgi-bin/webscr?cmd=_login-run,
which looks like a site owned by PayPal, the underlying
link may send you to http://login.paypalaccountverify.com/,
which is definitely not owned by PayPal. If you hover the
mouse over a link in most email programs, either a
tooltip or the status bar will show the real underlying
link. Be especially suspicious if the underlying link
does not match the visible text or if the link is a
numeric IP address (such as http://18.104.22.168/ebay/verify.php)
rather than a domain name.
If you want to visit a site referenced in an email, the
best bet is to manually go to the site. After all, if you
are a customer, you probably already have their site
bookmarked in your browser. Use your bookmark or manually
type in the address of the web site in your browser.
Or, if you think the email might be for real and you are
worried what might happen if you ignore it, you can pick
up the phone and contact your company to see if the
request was legitimate.
Toolbar to the rescue
But now there is another option. Netcraft, a company that
provides network security services as well as some pretty
extensive research data on the Internet, wrote an
anti-phishing toolbar for Internet Explorer. It is a very
cool, free download from their site at http://toolbar.netcraft.com.
installed, if you attempt to browse to a site that is a
known phishing site, a pop-up will block the access. If
you really want to, you can go to the page anyhow. But
you have been warned.
happen across a new phishing site not caught by the
toolbar, you can use one of the toolbar options to report
the site to Netcraft. If Netcraft confirms that it is a
phishing site, and you are the first to report it, you
will get a free gift from Netcraft. I received a coffee
mug for reporting my first phishing site.
Although the Netcraft anti-phishing toolbar is good, it
is not a perfect solution. Why? Because it only blocks
access to known phishing sites. There are new ones coming
all the time. As of late April, Netcraft's database of
known phishing sites contained some 5,400 entries. Ten of
those were first reported by yours truly. If I can be the
first to report ten phishing sites, you can bet there is
a constant stream of new ones.
The toolbar also reports some information about any site
you visit that may help you determine its legitimacy.
If Netcraft has seen the site before, there is the month
and year when Netcraft first started tracking the site.
For OPCUG.CA, it shows Apr 2002. We registered the domain
name in October 2001, so that seems reasonable. If you
were browsing to your bank and it showed that this was a
new site that Netcraft had never seen before, it might
make you suspicious. There is also a link to the Netcraft
site report which provides technical details about the
site, what web server it is using, who hosts the DNS
records for the domain name, and more.
shows the country flag and the 2-letter ISO code for the
country in which the site is hosted. If your bank site
shows up as being hosted in Korea or Uzbekistan,
you might think twice about entering in your
account number and password.
Another useful feature of the toolbar is the Risk Rating.
A site's risk rating goes up with factors such as the
domain registration being new, hosting a web site from an
IP address rather than a domain name, a web site running
on an unusual port, or on a network known to host
phishing site, and more. It provides a nice, at-a-glance,
view of the riskiness of a site.
The Netcraft site has lots of information about phishing.
There is a list of phishiest countries, a glossary to
help you with the lingo, and lots more. Check it out.
The toolbar checks for updates every time you load
Internet Explorer as well as once a day if you have not
closed IE. Typically I have found that, once I reported a
phishing site, within an hour, the site was being blocked
by the toolbar. Not too shabby.
While I would not consider a site safe just because it
was not blocked by the Netcraft toolbar, the extra
information provided by the toolbar can help you
determine if a site is legitimate. And the chance that it
might block access to a phishing site can be really
helpful if others using your computer click on any link
The Netcraft toolbar requires Internet Explorer. I was
told in early May by someone at Netcraft that a version
for Firefox is under development and should be released
"in the near future." But, according to a page
at the Netcraft site, it has been in development since
before Christmas, so you might not want to hold your
Cost: free download from http://toolbar.netcraft.com
Internet Explorer on Windows 2000/XP
Late breaking news:
In addition to supporting Internet Explorer, as of May
24th, the Netcraft anti-phishing toolbar is available for
Firefox as well. Oh, and I am up to 20 phishing sites
where I was the first to report the site.
Netcraft Anti-Phishing Toolbar (Freeware)
Originally published: October, 2005
top of page
The opinions expressed in these reviews
do not necessarily represent the views of the
Ottawa PC Users' Group or its members.