Kimsuky(김수키) 로 추측이 되는 부가가치세 확정신고 납부 통지서 피싱 메일 분석(2025.1.20)

오늘은 Kimsuky(김수키)로 추측이 되는 부가가치세 확정신고 납부 통지서 피싱 메일 분석(2025.1.20)을 간단하게 분석을 해 보겠습니다.
일단 해당 이메일 내용부터 보겠습니다.
2024.2기 부가가치세 확정신고 납부 통지서(이)가 도착했어요.
f????****님, 지금 확인해 보세요. 
발송기관국세청  
전자문서 종류  [국세청]2024.2기 부가가치세 확정신고 납부 통지서  
인증기한  2025-01-31 23:59까지 
기한 내 열람하지 않으면 발송기관 정책에 따라 다른 수단(종이우편, SMS/LMS 등) 또는 다른 채널(타사앱)로 발송됩니다.
기관에서 정식 발송된 문서는
네이버앱 에서 Na. 에서 전자문서에 표시됩니다.
확인하러 가기

김수키 추정에서 만든 피싱 메일

네이버는 과학기술정보통신부로부터 인증받은 공인전자문서중계자로, 국세청의 종이 우편을 편리하게 보실 수 있도록 네이버앱을 통해 전자문서로 전달합니다.
실명의 네이버ID가 있다면 기관에서 발송한 문서를 전자문서로 받아 보실 수 있으며, 전자문서 열람 시 소중한 정보보호를 위해 본인인증을 진행합니다. 본인인증은 모바일앱 환경에서만 가능하며, 인증 완료 후 발송기관의 페이지로 이동하여 문서 원문을 확인하실 수 있습니다. 이 때 네이버는 문서 원문에 있는 어떠한 내용에도 접근할 수 없습니다.
전자문서 이용 중인 ID가 없는 경우 명의정보가 동일한 다른 ID로 알림이 발송될 수 있어요.
전자문서를 수신받고 싶지 않다면 [여기]를 누르세요.
전자문서가 도착하면 네이버앱으로도 알림을 보내 드려요. 알림 설정 상태를 체크하세요. (알림 설정 도움말)
본 메일은 발신전용 입니다. 네이버 서비스관련 궁금하신 사항은 네이버 고객센터에서 확인해주세요.
해당 메일 내용만 보면 네이버에서 제공하는 네이버 전자 문서인 것처럼 보이지만 실제로는 발생한 메일 주소는 Ru 러시아인 것을 확인할 수가 있습니다.
해당 자세한 내용을 확인하려면 이메일 헤더를 보아야 합니다.

피싱 메일 이메일 헤더 내용

이메일 포함된 피싱 링크

hxxp://authurize(.)niduser(.)info(.)dns(.)cloud(.)check-info(.)o-r(.)kr

이메일 헤더

ARC-Seal: i=1; a=rsa-sha256; d=naver(.)com; s=arc-20180730; t=1737360520;
cv=none; b=NHQqHgf5FK60pAd0DjWlw5HYk9acPY3FBpFs1+e4CpvB8y4AxAFUXATmfbVB	 kANSFZKVVfM1DZZ9ZPwvpD3Pgb4RDXDIu4qbpZBPK2A8Yx6ekA6HS26B6GpcW7rB5Dos1L	 J3eLR2dgVyCPwsPLZaS4frK2O0C5xDYCjLVLZoIuAec6NgjLCl38K/mw0ylstBV7NrXMfT	 UnDi3Scmuw6Yk1/Zj9TJZ7vtmHEVbIksJjWU/B3URB2tkOHSA/xszMqG6mXtv0FDERvsPh	 2A8m6C38pbgfeEEIrTLX1SKeQSWLw1hOFFMujUAMcOsFTLOYMUs7ylVwueqe6fG4hUUK/t	 Qw==
ARC-Message-Signature: i=1; a=rsa-sha256; d=naver.com; s=arc-20180730;	t=1737360520; c=relaxed/relaxed;	bh=uMMT5Jsabdg5J6pY91i74cj2408q1THsnXq5hlf7SLA=;	h=dkim-signature:date:to:from:subject:message-id; b=hWHK5QrzStl/JzrgTdF	 HTNPtABrZSI1T+IcAhFeCb+ZKPIvaZar7RtDN3EecM4F1vRYAOWEI+qqlWHguv9m3rTCtw	 B+8SkBwD/ylwr5kHuyiU1VAnC0qsXYgJUSpJAQtlGSamrfTg+p/y8LrK73sLbcF4q+ewx8	 0RanRzfsGwsIN7lza9CvKosS3Xhu3Uz7M6HjhZ6c7nTUea8KyXKFsUSofxXUzXCRyHkM8R	 Uu4p0JKpDqsdey+U+gTLpyDT4WPFP6IWh52kcveGaVmKaxo9MZ1ywKtOdsjEMXdldjCmIn	 5i+afIQgYUJb3tylpeGM96dU1MBABvx5BkK5tB0JLiA==
ARC-Authentication-Results: i=1; mx(.)naver(.)com;   spf=pass (mx(.)naver(.)com: domain of health-info@internet(.)ru designates 89(.)221(.)237(.)244 as permitted sender) smtp(.)mailfrom=health-info@internet(.)ru;  dkim=pass header(.)i=@internet(.)ru;  dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=internet(.)ru
Return-Path: health-info@internet(.)ru
Received-SPF: pass (mx(.)naver(.)com: domain of health-info@internet(.)ru designates 89(.)221(.)237(.)244 as permitted sender)  client-ip=89(.)221(.)237(.)244; x-iptype=default;
Authentication-Results: mx(.)naver(.)com;  spf=pass (mx(.)naver(.)com: domain of health-info@internet(.)ru designates 89(.)221(.)237(.)244 as permitted sender) smtp(.)mailfrom=health-info@internet(.)ru;  dkim=pass header.i=@internet(.)ru;  dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=internet(.)ru,exim-smtp-6758d5575c-zwhph; auth=pass smtp.auth=health-info@internet(.)ru smtp.mailfrom=health-info@internet(.)ru
X-Naver-ESV: wqRn+6J4p63CbHmqKBwdbXFYKA2maAKljJ+Y
X-Session-IP: 89.221.237.244
Received: from send149(.)i(.)mail(.)ru (send149(.)i(.)mail(.)ru [89(.)221(.)237(.)244])  by crcvmail102(.)nm(.)naver(.)com with ESMTP id NtUg0CuQRzOKYDr-8TorcQ  for <??????@naver(.)com>  (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);  Mon, 20 Jan 2025 08:08:39 -0000,by exim-smtp-6758d5575c-zwhph with esmtpa (envelope-from <health-info@internet(.)ru>)	id 1tZmpl-000000009cv-0WUR	for ?????@naver(.)com; Mon, 20 Jan 2025 11:08:35 +0300
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=internet.ru	; s=mail4; h=Content-Type:MIME-Version:Message-ID:Subject:From:To:Date:From:	Sender:Reply-To:To:Cc:Content-Type:Content-Transfer-Encoding:Content-ID:	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc	:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:	List-Subscribe:List-Post:List-Owner:List-Archive:X-Cloud-Ids:	Disposition-Notification-To; bh=uMMT5Jsabdg5J6pY91i74cj2408q1THsnXq5hlf7SLA=;	t=1737360518; x=1737450518; b=Z7Ad5gf8eo4VZ9+YSQ41sAr0xQ4pIjg48uBAA1Iq/PptyKF	5BDJg8hhh5BDC9YlT6KHfhq0N7H6yKoea81NfQAbPlO25idMzIuANus/1yLEVSnEt+i9sGHcIEiEf	uu2I8P3ZlV7J6IElq5omRWdtaLsJcu5qSaLf6/ReLJTUvFH6E49Vv2Cig5naX8OT0lEeRFfVSa9Xb	7If7fzPy5aPRnoGQsuTYl17EIjgj3jk1sOBCPsBRhwYlqWp/UWCZ+0Jli0bDaqRfeYb2MDlNTMgAa	Cc94HkcQ6KmGLnRmwm1u0HQVaoOcqG1N2vxnBy+e/MlIKHCvnLOnZ7KwdC8Cudnw==;
Date: Mon, 20 Jan 2025 09:07:01 +0100
To:?????@naver(.)com
From: =?UTF-8?B?6rWt7IS466y47ISc?= <health-info@internet.ru>
Subject: =?UTF-8?B?MjAyNC4y6riwIOu2gOqwgOqwgOy5mOyEuCDtmZXsoJXsi6Dqs6Ag64Kp67aA?= =?UTF-8?B?IO2GteyngOyEnCjsnbQp6rCAIOuPhOywqe2WiOyWtOyalC4=?=
Message-ID: <894fb3ac5b9e18e3207b1b73de5b395b@118.193.68.90>
X-Mailer: PHPMailer 5.2.14 (https://github(.)com/PHPMailer/PHPMailer)
MIME-Version: 1.0

이메일 헤더 분석

1. 발신자 정보 분석
Return-Path (보낸 사람):health-info@internet(.)ru  
From (표시 이름):=?UTF-8?B?6rWt7IS466y47ISc?= <health-info@internet(.)ru>  
발송 서버 IP:89(.)221(.)237(.)244 (mail(.)ru 서버 사용)  
SMTP 발송 서버:send149(.)i(.)mail(.)ru 
X-Session-IP:89(.)221(.)237(.)244  
2.인증 결과 (SPF, DKIM, DMARC)
SPF (Sender Policy Framework):
보낸 사람 도메인(internet(.)ru)이 해당 IP(89(.)221(.)237(.)244)를 인증  
DKIM (DomainKeys Identified Mail):dkim=pass header.i=@internet(.)ru 보낸 사람의 서명이 유효함.  
DMARC (Domain-based Message Authentication):
dmarc=pass (p=REJECT sp=REJECT):인터넷(.0ru 도메인은 DMARC 정책을 거부(REJECT)로 설정했지만, 검증을 통과 
3. 이메일 발송 경로 (Received 헤더 분석)
발송: send149(.)i(.)mail(.)ru (89(.)221(.)237(.)244)->발신자 메일 서버  
중간 전달:crcvmail102(.)nm(.)naver(.)com(네이버 수신 서버)  
3. 최종 수신:?????@naver(.)com  
2024.2 건강 관련 최신 정보 제공
보건 정보를 제공하는 것처럼 보이지만 스팸 메일
Certego:Malicious
CRDF:Malicious
Criminal IP:Malicious
Fortinet:Phishing
Seclookup:Malicious
Gridinsoft:Suspicious
노턴 세이프웹에서는 정상적으로 차단 어베스트도 마찬가지로 정상 차단 되었으며 해당 피싱 메일은 이메일 주소만 보면 쉽게 확인을 할 수가 있는 피싱 메일이었지만 항상 조심을 하는 것이 중요 합니다. 이메일 헤더를 까보면 PHPMAILER-PHP를 악용한 것을 확인할 수가 있습니다.