Netcraft recently uncovered a suspicious URL targeting GMO Aozora Bank, a Japanese financial institution. The URL leveraged a legacy web technique—Basic Authentication URL formatting—to visually impersonate the bank and deceive customers.
This discovery prompted a broader review of phishing activity that still relies on this old but effective technique, exposing how threat actors can reuse deprecated web standards to bypass casual inspection.
Basic Authentication is a decades-old method for passing credentials in a URL using the format hxxps://username:[email protected].
Originally intended for simple access control on early web servers, it is rarely used today because embedding credentials in URLs exposes them in browser history, logs, and referer headers. Nonetheless, modern browsers continue to support this syntax, enabling attackers to exploit it for visual deception.
In phishing scenarios, the attacker places a trusted domain name in the “username” portion of the URL, immediately followed by an @ symbol and the real, malicious domain.
A user who skims or views a truncated link sees the trusted brand first and may click without noticing that the browser actually connects to the domain after the @.
This technique is particularly effective in environments where URLs are previewed or truncated—such as email clients, messaging apps, and mobile browsers—because only the initial, familiar text is visible.
GMO Aozora Phishing Campaign Details
Following the identification of the first Basic Auth URL impersonating GMO Aozora Bank, researchers discovered a coordinated campaign of similarly structured links.
Each URL embedded gmo-aozora.com (or a variant) before the @ and pointed to unrelated domains hosting identical phishing pages. The initial URL was:
texthxxps://gmo-aozora.com%25Z9IQ7POD%25b5r14s6j%[email protected]/sKgdiq
The domains coylums.com, blitzfest.com, and pavelrehurek.com all served the same phishing content under the path /sKgdiq.
Historical DNS and hosting records reveal these domains once displayed a Japanese-language CAPTCHA page labeled “Security Check” that prompted users to confirm they are not robots and click an “I am not a robot” box, lending false credibility before presenting the fake login form.
Wider Phishing Trends
To gauge the prevalence of Basic Auth phishing, researchers sampled URLs observed over a 14-day period and identified at least 214 unique examples.
Major global brands were targeted, from Amazon and Google to Facebook, Yahoo, LinkedIn, Netflix, DHL, FedEx, Bank of America, and SoftBank. Examples include:
- Amazon:
hxxps://amazon.jp-bghqtjbe%2Fufeuxoj…@lyfak.com/xekqxdyfj/rovglb… - Google:
hxxps://accounts.google.com+signin=secure…@lzx.enj.mybluehost.me/wp-admin… - Facebook:
hxxps://[email protected]/link/114903467869602196
Remarkably, 153 of the 214 URLs (approximately 71.5%) specifically targeted Japanese users and organizations by incorporating the .jp top-level domain or Japan-specific domains like docomo.co.jp and ocn.ne.jp.
Phishing emails often masqueraded as urgent notifications—account closures, security alerts, or billing issues—urging users to click the deceptive link and complete a faux login or verification process.
This investigation underscores how legacy web features such as Basic Authentication URL formatting remain potent tools in a threat actor’s arsenal.
Despite being deprecated for secure use, the technique’s compatibility with modern browsers and its ability to visually mislead users sustain its effectiveness.
As this campaign against Japanese financial and consumer brands demonstrates, even seemingly archaic functionalities can fuel sophisticated phishing operations when combined with targeted social engineering.
Vigilance in link inspection and improved browser UI cues are essential to mitigate these deceptively simple yet impactful attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
