Early October 2025 witnessed the resurgence of a retro phishing technique that exploits legacy Basic Authentication URLs to deceive users into divulging sensitive credentials.
Threat actors crafted links in the format https://username:[email protected], embedding a trusted institution’s domain in the username field to visually mimic legitimate services.
When users click these links, their browsers authenticate to the malicious domain specified after the @ symbol, silently harvesting the credentials intended for the forged site.
This tactic is particularly effective in mobile apps and email clients that truncate long URLs, showing only the deceptive portion before the @ symbol.
Netcraft analysts noted the first wave of these attacks targeting GMO Aozora Bank customers in Japan, where the attackers registered URLs such as hxxps://gmo-aozora.com%[email protected]/sKgdiq.
Victims encountering these links in phishing emails were prompted to complete a Japanese-language CAPTCHA page designed to simulate a legitimate security check.
.webp "New Phishing Attack Uses Basic Auth URLs to Trick Users and Steal Login Credentials 3")
Despite modern browsers supporting Basic Auth URLs, this format has fallen out of favor due to security concerns, making it an unexpected vector that evades casual URL scrutiny.
Following the initial discovery, Netcraft researchers identified more than 200 unique Basic Auth phishing URLs in a two-week period.
Attacks impersonated major brands including Amazon, Google, and Netflix, often cloaking malicious domains behind familiar names.
One example spoofed Netflix, luring recipients into clicking a link that seemed legitimate but directed them to a credential-stealing script hosted on themiran.net.
The coordinated use of multiple malicious domains and encoded tokens strengthened the illusion of legitimate authentication flows.
Beyond simple credential harvesting, these phishing links also implemented human verification CAPTCHAs to delay automated takedown efforts and to reinforce trust among victims.
The CAPTCHA page emulated a security checkpoint, requiring users to click “I am not a robot” before proceeding to a counterfeit login form. This extra step both increased the perceived legitimacy of the page and gave attackers additional time to capture credentials.
Infection Mechanism and Credential Exfiltration
Upon clicking a compromised Basic Auth URL, the victim’s browser issues an HTTP GET request with the credentials field set to the trusted domain text.
For example:-
GET /sKgdiq HTTP/1.1
Host: coylums.com
Authorization: Basic Z21vLWFvem9yYS5jb206 Here, Z21vLWFvem9ycmEuY29tOg== is the Base64-encoded representation of the string gmo-aozora.com:. The server decodes this header to confirm the presence of the embedded “username,” then serves the phishing page that mimics the bank’s login interface.
Submitted credentials are sent via a POST request to the attacker’s backend endpoint, where they are collected for later misuse.
This mechanism bypasses typical URL filters that focus on query strings rather than embedded authentication tokens.
By reviving this outdated HTTP feature, attackers have demonstrated how legacy standards can be repurposed for modern phishing campaigns.
Financial institutions and security teams should update URL inspection rules to detect and block Basic Authentication tokens in links and educate users about the dangers of unbeknownst embedded credentials.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
