A forthcoming update to Internet Explorer will disallow the use of the "@" character in URLs, addressing an issue which has helped fraudsters to obscure the true destination in a web site addresses. Once the update is installed, including the @ symbol in urls will return an "invalid syntax error" message. Microsoft's advisory did not say when the update would be available.
Presently, using @ signs in urls is a conventional approach for fraudsters trying to trick bank customers into revealing their account details. including recent attacks on customers of Barclays and Citibank among others. To make the url appear plausible, attackers conventionally put an "@" sign in the url, where the text to the left of the "@" is the name of the site to which the victim is expecting to connect to, and the text to the right of it is the location of the attackers site.
When the http protocol was originally designed, the "@" character was intended to denote a username at a particular site, in the style of https://sir.tim.berners-lee@www.w3.org where sir.tim.berners-lee is the username, and www.w3.org is the name of the site.
News source: Netcraft
1 Comment - Add comment