The technique, which can be exploited by anyone with a rudimentary knowledge of HTML tags, is being demonstrated on several web sites. URLs with an '@' such as
http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495& usersoption=SecurityUpdate&StateLevel=GetFrom@126.96.36.199/verified_by_visa.html[the text to the left of the @ in a url is taken to be a user account on the sitename which follows] are commonly used by fraudsters launching electronic mail fraud attacks on customers of banks and credit card companies.
In the example Explorer serves a page from the local server, while displaying the url as www.microsoft.com.
Microsoft's immediate response is to recommend that people only enter sensitive information on SSL sites, after checking the certificate details.
Mozilla [both Windows and Linux versions] displays the url correctly.
Posted by Rich Miller in Security
Your link here? Advertising on the Netcraft Blog