Microsoft to remove support for usernames in http urls

A forthcoming update to Internet Explorer will disallow the use of the "@" character in URLs, addressing an issue which has helped fraudsters to obscure the true destination in a web site addresses. Once the update is installed, including the @ symbol in urls will return an "invalid syntax error" message. Microsoft's advisory did not say when the update would be available.

Presently, using @ signs in urls is a conventional approach for fraudsters trying to trick bank customers into revealing their account details. including recent attacks on customers of Barclays and Citibank among others. To make the url appear plausible, attackers conventionally put an “@” sign in the url, where the text to the left of the “@” is the name of the site to which the victim is expecting to connect to, and the text to the right of it is the location of the attackers site.

When the http protocol was originally designed, the “@” character was intended to denote a username at a particular site, in the style of where sir.tim.berners-lee is the username, and is the name of the site.

However, url encoded usernames have never been widely used, with websites typically using usernames and password and/or cookies to administer user sessions and state, and “@” in urls has almost exclusively been used for tricks, jokes, and scams.

Fraudsters have also been able to use a bug to trick Internet Explorer into displaying an incorrect URL in its address and status bars when the "%01" character is included in a web link, effectively masking the characters following it with URLs in this format:

Microsoft offers alternate methods of automating user logins in its advisory.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.