In early October 2025, cybersecurity experts observed a resurgence of a phishing technique that exploits Basic Authentication (Basic Auth) URLs to deceive users into revealing sensitive login credentials. This method, once considered obsolete, has been repurposed by attackers to bypass modern security measures and exploit user trust.
Understanding Basic Authentication URLs
Basic Authentication is an HTTP protocol that allows users to access resources by providing a username and password within the URL. The format typically appears as `https://username:[email protected]`. While this method has been largely deprecated due to security vulnerabilities, it remains supported by many modern browsers.
Mechanism of the Attack
In this phishing campaign, attackers craft URLs that embed a trusted institution’s domain within the username field. For example, a malicious link might appear as `https://gmo-aozora.com%[email protected]/sKgdiq`. At first glance, the URL seems to reference the legitimate domain `gmo-aozora.com`, a reputable bank in Japan. However, the actual destination is `coylums.com`, a domain controlled by the attackers.
When a user clicks on such a link, the browser interprets the portion before the `@` symbol as the username and the portion after as the actual domain to connect to. Consequently, the browser sends an authentication request to the attacker’s domain, inadvertently transmitting the embedded credentials.
Exploitation in Mobile and Email Clients
This tactic is particularly effective in mobile applications and email clients that truncate long URLs, displaying only the initial segment. Users may see only the deceptive portion before the `@` symbol, leading them to believe they are accessing a legitimate site. This visual manipulation increases the likelihood of users clicking on the malicious link without suspicion.
Initial Discovery and Scope of the Attack
Analysts at Netcraft first identified this wave of attacks targeting customers of GMO Aozora Bank in Japan. The attackers registered URLs designed to mimic the bank’s legitimate domain, such as `hxxps://gmo-aozora.com%[email protected]/sKgdiq`. Victims who clicked on these links were directed to a Japanese-language CAPTCHA page, adding a layer of perceived legitimacy to the phishing attempt.
Over a two-week period following the initial discovery, researchers identified more than 200 unique phishing URLs employing this technique. The attacks impersonated major brands, including Amazon, Google, and Netflix, by embedding these recognizable names within the username field of the URL. This strategy effectively cloaked the malicious domains behind familiar and trusted names.
Use of CAPTCHAs to Enhance Deception
Beyond simple credential harvesting, these phishing campaigns incorporated human verification CAPTCHAs. This step served dual purposes: it delayed automated security tools from analyzing the malicious pages and reinforced the illusion of legitimacy for the victims. The CAPTCHA page emulated a security checkpoint, requiring users to click I am not a robot before proceeding to a counterfeit login form. This additional step increased the perceived authenticity of the page and provided attackers with more time to capture credentials.
Technical Details of the Attack
Upon clicking a compromised Basic Auth URL, the victim’s browser issues an HTTP GET request with the credentials field set to the trusted domain text. For example:
“`
GET /sKgdiq HTTP/1.1
Host: coylums.com
Authorization: Basic Z21vLWFvem9yYS5jb206
“`
In this instance, `Z21vLWFvem9yYS5jb206` is the Base64-encoded representation of the string `gmo-aozora.com:`. The server decodes this header to confirm the presence of the embedded username and then serves a phishing page that mimics the bank’s login interface.
When victims enter their credentials into the counterfeit login form, the information is sent via a POST request to the attacker’s backend endpoint, where it is collected for later misuse. This mechanism effectively bypasses typical URL filters that focus on query strings rather than embedded authentication tokens.
Implications and Recommendations
By reviving this outdated HTTP feature, attackers have demonstrated how legacy standards can be repurposed for modern phishing campaigns. This approach underscores the need for continuous vigilance and adaptation in cybersecurity practices.
Recommendations for Users:
1. Exercise Caution with Embedded Credentials: Be wary of URLs that include embedded credentials, especially those containing an `@` symbol. Always verify the actual domain you are connecting to.
2. Inspect Full URLs: Before clicking on a link, hover over it to view the full URL. Ensure that the domain matches the legitimate site you intend to visit.
3. Be Skeptical of Unexpected CAPTCHAs: While CAPTCHAs are commonly used for security, unexpected prompts, especially when accessing login pages, should raise suspicion.
Recommendations for Organizations:
1. Update URL Inspection Rules: Security teams should enhance URL inspection protocols to detect and block Basic Authentication tokens in links.
2. Educate Users: Conduct regular training sessions to inform employees about the dangers of embedded credentials and how to recognize phishing attempts.
3. Monitor for Anomalies: Implement monitoring systems to detect unusual authentication patterns that may indicate phishing activities.
By understanding and addressing these sophisticated phishing techniques, both users and organizations can better protect themselves against evolving cyber threats.
