Phishing campaign uses legacy web feature to target bank customers

A new phishing scheme is exploiting outdated web authentication methods to trick users of Japan’s GMO Aozora Bank into revealing their login credentials.

What happened

According to Cyber Press, researchers have identified a phishing campaign targeting GMO Aozora Bank customers through URLs that mimic legitimate banking links. The attackers use a legacy structure called Basic Authentication, which allows credentials to be embedded directly in a URL. Although the feature is now considered unsafe, it remains functional in most modern browsers, creating an opportunity for exploitation.

The malicious URLs appeared to show the bank’s real domain before the “@” symbol, making them seem trustworthy at first glance. In reality, everything before the “@” is treated as authentication data, while the actual destination of the phishing site comes after it. This tactic is especially deceptive on mobile devices, where URLs are often truncated.

Going deeper

Researchers observed several phishing URLs, hosted on unrelated domains such as blitzfest[.]com and pavelrehurek[.]com, and included fake CAPTCHA pages written in Japanese to enhance credibility.

The campaign didn’t stop at banking targets. Over two weeks, Netcraft recorded 214 phishing URLs impersonating brands like Amazon, Google, Facebook, Yahoo, Netflix, and Bank of America. About 71.5% of those samples specifically targeted Japanese users, often using .jp domains and localized text. Attackers used the same Basic Auth trick to embed trusted names within URLs that ultimately led to malicious destinations.

What was said

Cyber Press warned that the continued browser support for Basic Authentication is an enabler of these scams. The firm urged organizations to deploy user education campaigns about suspicious URLs containing “@” symbols and to enable URL inspection systems that can automatically detect and block them. Browser vendors were also encouraged to adopt mitigations that flag or restrict these outdated structures.

The big picture

According to OWASP, outdated or weak web authentication remains one of the fastest and most common paths into compromised systems. Attackers often exploit missing or misconfigured controls such as weak passwords, disabled rate limits, default admin credentials, or flawed session management to carry out credential stuffing, brute-force attacks, or token theft. OWASP cautions that “confirmation of the user’s identity, authentication, and session management is critical,” noting that failures in these areas continue to be a primary cause of web application breaches.

FAQs

Why is Basic Authentication still supported if it’s insecure?

Many legacy web systems and applications still rely on it for backward compatibility, so browser vendors have been slow to fully disable the feature.

How can users identify this type of phishing URL?

Look for the “@” symbol in a link. Anything before it is not part of the actual website domain, this is an indicator of potential phishing.

What can organizations do to protect their users?

They can implement URL inspection tools that detect embedded credentials, enforce link scanning policies, and educate employees about phishing indicators.

Are there browser-level defenses against this attack?

Some browsers already warn users when URLs contain embedded credentials, but more consistent blocking or alerts across platforms could reduce these risks further.