Retro Phishing: Basic Auth URLs Make a Comeback in Japan

Introduction

Netcraft recently uncovered a suspicious URL targeting GMO Aozora Bank, a Japanese financial institution. The URL leveraged a legacy web technique, using Basic Authentication formatting, to visually impersonate the bank and deceive customers. The findings led to a broader review of phishing activity that still rely on this old technique.

What is Basic Authentication?

Basic Authentication is a legacy method for passing credentials in a URL, using this format hxxps://username:password@domain[.]com.

Originally intended for simple access control, this format is not commonly used due to the associated security risks. However, browsers still support this method, which makes it a viable vector for visual deception.

In phishing scenarios, attackers exploit the Basic Authentication URL format by placing a trusted domain in the username field, followed by an @ symbol and the actual malicious domain. The structure is designed to visually mislead the victim. When a user sees a URL that begins with a familiar and trusted domain, they may assume the link is legitimate and safe to click.

However, the browser interprets everything before the @ symbol as authentication credentials, not as part of the destination. The real domain, or the one that the browser connects to, is included after the @ symbol. 

This technique may be particularly effective in environments where URLs are truncated, previewed, or skimmed quickly, such as in emails, messaging apps, or mobile browsers.

GMO Aozora Phishing Campaign

Following the identification of the initial suspicious URL targeting GMO Aozora Bank, further analysis revealed a pattern of similarly structured URLs using the same deceptive technique. Each URL embedded the bank’s domain name gmo-aozora[.]com with the username field of the URL, followed by an @ symbol and a malicious domain. The first URL uncovered was:

• hxxps://gmo-aozora[.]com%25Z9IQ7POD%25b5r14s6j%257DdIL@coylums[.]com/sKgdiq

This led to the discovery of several additional URLs following the same structure:

• hxxps://gmo-aozora[.]com%25ZYJ55BOB%25hk0zv7mn%25MnbVh5Tir@coylums[.]com/sKgdiq/

• hxxps://gmo-aozora[.]com%25K91E3AB%251baa0wz%25Mb5iqFg@coylums[.]com/sKgdiq

• hxxps://gmo-aozora[.]com%25938C4G%250rwi9tv0x%25xPcHpq0@blitzfest[.]com/sKgdiq

• hxxps://gmo-aozora[.]com%251TE5CV7VB%2545pc25b%25H25auxt@blitzfest[.]com/sKgdiq

• hxxps://gmo-aozora.com%251P0UFWAWIQ%25w9ue1%259cerXB@pavelrehurek[.]com/sKgdiq/

• hxxps://gmo-aozora[.]com%25UJKVPV7BK%258wzepvye%25p2z3wEE0@pavelrehurek[.]com/sKgdiq/

Each of these URLs uses a variation of encoded strings within the username field, likely to simulate session tokens or encrypted identifiers, further enhancing the illusion of legitimacy. The consistent use of gmo-aozora[.]com as the visual anchor suggests a targeted campaign against the financial sector, specifically leveraging brand trust to increase the likelihood of user interaction.

The domains receiving the traffic, coylums[.]com, blitzfest[.]com, and pavelrehurek[.]com, which are unrelated to GMO Aozora Bank have hosted identical phishing content. While they now resolve to generic or landing pages, historical analysis shows they served the same page structure and path (/sKgdiq), indicating coordinated use of shared infrastructure. The pages included a human verification CAPTCHA, written in Japanese, likely intended to add legitimacy. The translated content reads:

Security Check

Please confirm that you are not a robot.

To protect the service from automated attacks, please perform the following verification.
☐ I am not a robot

Security Verification | Privacy – Terms of Use
This verification is to protect the service from unauthorized access.

Figure 1. CAPTCHA page captured before URLs became inactive.

Recent Trends in Basic Auth Phishing

To understand how often this technique is being used, we took a sample of the last 14 days and identified at least 214 Basic Auth phishing URLs examples. Within this sample, we identified that major brands were targeted, including Amazon, Google, Yahoo, LinkedIn, Facebook, Netflix, DHL, FedEx, Bank of America, SoftBank, and more.

Amazon examples:

• hxxps://amazon[.]jp-bghqtjbe%2Fufeuxoj%3Fxekqxdyfj%3Dbghqtjbe[.]lfu%2Frovglb@lyfak[.]com/xekqxdyfj/rovglb/dl0A542oUc8ZwQFV5tCxeGUMuQLpR_CdMHxo5rWkWTM[.]lfu640

• hxxps://amazon-qxshi[.]jp%2Fqxshi%2Fqxshi%3Fqxshi=xbbkvfxy@mhly5[.]com/pmdctnhvc/gjdyja/1BajQEVjdB0ABk82l8Jy0-qm3Ym7ioWHjFEdczw3L_8[.]evcekti768

• hxxps://amazon-vjedcdj[.]gov%2Fhylafa%3Fhylafa%3Dyxelufqb%26hylafa%3Dvjedcdj@uh-majlhylafa[.]bajarlo[.]com/ 

Google examples:   

• hxxps://accounts[.]google[.]com+signin=secure+v2+identifier=passive@lzx[.]enj[.]mybluehost[.]me/wp-admin/js/nodejs/nodejs/index[.]php?id=20VgVXuB

• hxxps://google-chat@rb[.]gy/xeokf3

• hxxps://google[.]com@in11[.]interafricaeng[.]co[.]za/

Facebook examples:

• hxxps://blue-verified-facebook-free@griffin-recorder-observation-pour[.]trycloudflare[.]com/login[.]html

• hxxps://facebook[.]com@links[.]truthsocial[.]com/link/114903467869602196

• hxxps://blue-verified-facebook-free@hopkins-ears-tan-fragrance[.]trycloudflare[.]com/login[.]html

Yahoo examples:

• hxxps://yahoo[.]co[.]jp/kfjlod/urphnkf/[email protected]/maz/bfizj/Tx705KuMLowW1htr1q1IkPwO19z2PCTDTd10SWAL700[.]bfizj007

• hxxps://yahoo[.]co[.]jp/mLKegOVr/BRrrhimou/scZOJaVfVH@fjxgtez-lhgmcoi-bhluwzlqf-wadkiz[.]vnjklhswfg[.]com/

• hxxps://yahoo[.]co[.]jp/ujpfrh/pjebmep/hbbwu-nplkkqkue609@morimorikasegu[.]com/lmi/hbbwu/2uPLDiGOzdVQqgXU3V1BGxLK5Pxo2hVbNi3tisbyzQE[.]hbbwu609

Japan in the Crosshairs 

Our analysis found that 153 out of 214 phishing URLs (roughly 71.5%) specifically targeted Japanese users or organizations. This targeting was identified through the use of .jp TLDs and other Japan-specific references.

Examples of Japan-targeted URLs:

• hxxps://amazon-fvwpdrs[.]jp/wxyyo?bssfsesy=gpusgekeb&[email protected]/gpusgekeb72/303xfsrgp/

• hxxps://docomo[.]co[.]jp/takemuraakitaguru399/uyhne/ezefbgb#spnflkr@2psd54l2p[.]com/

• hxxps://woody[.]ocn[.]ne[.]jp/ThGVgAXnZ/AigyAjmrjc/CgmZROla@afty[.]net/afmjjafpz?

Many of these phishing URLs were distributed through email lures, often disguised as urgent account notifications. One example used urgency and impersonated Netflix to trick the recipient into clicking a deceptive Basic Auth URL, where the real destination is the malicious domain is themiran[.]net.

Figure 2: Phishing email containing fake Netflix domain.

Though there is no visible technical indication why this campaign is focusing on Japanese organizations, it is possible that some email clients, messaging apps, or mobile browsers popular in Japan may display URLs in a manner that makes this technique visually effective. For example, by truncating or visually abbreviating long URLs, displaying only the initial portion. 

Conclusion

This investigation highlights how threat actors continue to repurpose legacy techniques like Basic Authentication URL formatting to carry out modern phishing campaigns, specifically against Japanese-based organizations. Despite its age, this tactic remains effective due to its compatibility with modern browsers and its ability to bypass casual inspection.

Recommendations

To mitigate the risk of this type of attack, organizations, especially financial institutions, should educate their employees and customers about the deceptive nature of Basic Authentication URLs. Security teams should implement URL inspection rules that flag the presence of embedded credentials and monitor for suspicious use of the @ symbol in URLs. Browser hardening policies can also help by warning users or blocking navigation to URLs that contain embedded authentication data.