Ottawa PC Users' Group, Inc.
 Product Review 


Netcraft Anti-Phishing Toolbar
by Chris Taylor

You have probably received them - emails from eBay, PayPal, Citizens Bank, or whatever - that ask you to come to the web site to correct some problem. Maybe there was a security problem and they need you to verify activity on your account. Or maybe there were billing problems and they need your account information updated.

The trouble is - the email didn't come from that company. And when you click the handy link in the email, you are taken to a web site that looks like the legit site, but is run by thieves out to steal your money. If you make the mistake of actually logging into the site, you have just given some miscreant all the information they need to log onto the legitimate site and empty your accounts.

That email was a phish. And the site you went to was a phishing site. For a more complete description of phishing, see
http://toolbar.netcraft.com/help/faq/index.html#phishing.

Identifying phishing emails

Most phishing emails are really easy for me to identify. I don't have an account with eBay, PayPal, Barklays Bank, etc. so when I see them, I know they are not legitimate.

But what if I was an eBay user? Some of these emails look pretty good. Who knows, it might be legit. A quick trip to the security center at eBay found, "eBay will not ask you to provide sensitive information such as eBay passwords, social security numbers and credit card numbers through email." Phishing has become so commonplace that, in fact, only a very foolish company would actually send out such an email.

OK, so maybe you don't see any evidence saying the company doesn't send out emails like that. And you think it might be a legitimate email. How can you be sure?

First, never trust a link provided in an email. If the email is formatted in HTML, the text you see in the email could be deceptive. While the visible text might say https://www.paypal.com/cgi-bin/webscr?cmd=_login-run, which looks like a site owned by PayPal, the underlying link may send you to http://login.paypalaccountverify.com/, which is definitely not owned by PayPal. If you hover the mouse over a link in most email programs, either a tooltip or the status bar will show the real underlying link. Be especially suspicious if the underlying link does not match the visible text or if the link is a numeric IP address (such as http://66.90.75.103/ebay/verify.php) rather than a domain name.

If you want to visit a site referenced in an email, the best bet is to manually go to the site. After all, if you are a customer, you probably already have their site bookmarked in your browser. Use your bookmark or manually type in the address of the web site in your browser.

Or, if you think the email might be for real and you are worried what might happen if you ignore it, you can pick up the phone and contact your company to see if the request was legitimate.

Toolbar to the rescue

But now there is another option. Netcraft, a company that provides network security services as well as some pretty extensive research data on the Internet, wrote an anti-phishing toolbar for Internet Explorer. It is a very cool, free download from their site at
http://toolbar.netcraft.com.

Once installed, if you attempt to browse to a site that is a known phishing site, a pop-up will block the access. If you really want to, you can go to the page anyhow. But you have been warned.

If you happen across a new phishing site not caught by the toolbar, you can use one of the toolbar options to report the site to Netcraft. If Netcraft confirms that it is a phishing site, and you are the first to report it, you will get a free gift from Netcraft. I received a coffee mug for reporting my first phishing site.

Although the Netcraft anti-phishing toolbar is good, it is not a perfect solution. Why? Because it only blocks access to known phishing sites. There are new ones coming all the time. As of late April, Netcraft's database of known phishing sites contained some 5,400 entries. Ten of those were first reported by yours truly. If I can be the first to report ten phishing sites, you can bet there is a constant stream of new ones.

The toolbar also reports some information about any site you visit that may help you determine its legitimacy.

If Netcraft has seen the site before, there is the month and year when Netcraft first started tracking the site. For OPCUG.CA, it shows Apr 2002. We registered the domain name in October 2001, so that seems reasonable. If you were browsing to your bank and it showed that this was a new site that Netcraft had never seen before, it might make you suspicious. There is also a link to the Netcraft site report which provides technical details about the site, what web server it is using, who hosts the DNS records for the domain name, and more.

The toolbar shows the country flag and the 2-letter ISO code for the country in which the site is hosted. If your bank site shows up as being hosted in Korea or Uzbekistan, well…you might think twice about entering in your account number and password.

Another useful feature of the toolbar is the Risk Rating. A site's risk rating goes up with factors such as the domain registration being new, hosting a web site from an IP address rather than a domain name, a web site running on an unusual port, or on a network known to host phishing site, and more. It provides a nice, at-a-glance, view of the riskiness of a site.

The Netcraft site has lots of information about phishing. There is a list of phishiest countries, a glossary to help you with the lingo, and lots more. Check it out.

The toolbar checks for updates every time you load Internet Explorer as well as once a day if you have not closed IE. Typically I have found that, once I reported a phishing site, within an hour, the site was being blocked by the toolbar. Not too shabby.

While I would not consider a site safe just because it was not blocked by the Netcraft toolbar, the extra information provided by the toolbar can help you determine if a site is legitimate. And the chance that it might block access to a phishing site can be really helpful if others using your computer click on any link they see.

The Netcraft toolbar requires Internet Explorer. I was told in early May by someone at Netcraft that a version for Firefox is under development and should be released "in the near future." But, according to a page at the Netcraft site, it has been in development since before Christmas, so you might not want to hold your breath.

Cost: free download from
http://toolbar.netcraft.com

Requirements: Internet Explorer on Windows 2000/XP

Late breaking news:

In addition to supporting Internet Explorer, as of May 24th, the Netcraft anti-phishing toolbar is available for Firefox as well. Oh, and I am up to 20 phishing sites where I was the first to report the site.


Bottom Line:

Netcraft Anti-Phishing Toolbar
from Netcraft
Free download from http://toolbar.netcraft.com


Click here to view the full OPCUG website with frames.

Copyright and Usage
Ottawa Personal Computer Users Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON  K2G 1S6

The opinions expressed in these reviews do not necessarily
represent the views of the OPCUG or its members.

Send comments or suggestions to the .