꿈을꾸는 파랑새

오늘은 네이버 피싱 메일인 회원정보 고객센터 naver-privacy@kakao(.)com(2024.3.18)에 대해 글을 적어 보겠습니다.
해당 메일은 국내 대표적인 포털 사이트인 네이버 고객센터로 위장하고 있으며 마치 네이버 담당자에서 보낸 것처럼 글을 적어져 있고 일단 해당 메일은 네이버 바이러스 제로시즌 2에 활동을 하고 계시는 시오스 님께 eml 파일을 받아서 진행했으면 시간이 지나서 현재 글을 시점인 2024.4.2 에서는 해당 사이트에 대해 분석을 할 수가 없고 해당 eml 파일을 가지고만 글을 적어 보겠습니다.

이메일 내용

안녕하세요.
Naver 내정보 담당자입니다.
Naver 서비스는 계정 관리 정책에 따라 계정 점검을 실시하여 휴면계정 관리를 진행하며 회원님들에게 안전한 이메일 이용공간을 제공합니다.
자세한 사항은 아래와 같으며 회원님의 본인 확인 이 필요합니다.
잠시나마 불편을 드리게 된 점 회원님들의 너그러운 양해 부탁드립니다. 
점검일시:2024년 03월 18일 월요일 오전 08:30 ~ 03월 28일 목요일 오전 09:30
점검내용:본인 확인 (필요시 2단계 까지)
계정점검기간 확인되지 않은 계정은 휴면계정으로 전환되며 이미 휴면계정들에 대하여서는 계정삭제를 진행합니다.
감사합니다. 
해당 메일을 보면 네이버 회원 휴면 계정 관리를 위해서 본인 확인이 필요하면 본인을 확인을 하려고 2단계 인증을 진행한다고 글에 보여 있습니다. 실제 피싱 사이트를 보아야지 해당 사이트가 어떻게 동작을 하는지 알 수가 있겠지만, 해당 메일 내용만 보면 아이디 및 비밀번호를 즉 네이버 전체 계정을 탈취하기 위해서 목적이 아닐까 생각이 됩니다.
일단 회원정보 고객센터라고 돼 있는데 보면 카카오 도메인을 사용하는 것처럼 느껴지지만 일단 확실히 하려면 eml 파일 내부를 열어 보아야 합니다.

네이버 고객센터 피싱 메일
네이버 고객센터 피싱 메일

네이버 피싱 사이트 주소

http://main(.)goodaccout(.)com/?_fid=7IOyViOuztO2YkeZWc66+4(7)J28&_uid=
c2(Z)3YXJyaW8=&session=MnGy(n)vkVRksKVryS3mde629aed26c28f8b2e9(9)
1a9e67be17f7SO1p(L)WveQcelE(N)o6YSwCHUJ(k)Vfh

네이버 고객센터 피싱 메일 헤더
네이버 고객센터 피싱 메일 헤더

이메일 헤더 내용

ARC-Seal: i=1; a=rsa-sha256; d=naver.com; s=arc-20180730; t=1710736713;
cv=none; b=dcAaHz6upvB????yzN2SeXa8s0oQAzoqYjqwh1R7AmjqNUgzg/PHy9Aus
1Ortw501A2TLFJmuTJSlNzlJSar034EkpiGQ/xRV??Dh+V4dReBrHfjB/v8C
cNUriw02l83Ml36FswOS2SKkQnBAJIBuZ2NhaGAT??MFVTUUJyJ+rjBEb
309vdq3tiZ69V25D50GGIbyvDLCbDVhRuc8QKR6vv4oY?+Wb584tJ6wtu+dDvHm
v17JPKUSbqrhTQdEuCgcCDLD5LpFQlcyL4INaBhA22ZRU?/eADsknDZw2Zmzr?SUJ
lA==
ARC-Message-Signature: i=1; a=rsa-sha256; d=naver.com; s=arc-20180730;
t=1710736713; c=relaxed/relaxed;
bh=DCJBDWsCc9Q7XYhysBV4TNa4a74+4/7ysPf+a7KFQd8=;
h=date:to:from:subject:message-id;
b=m5iypcTY0BM4Hg6DHJ+yYeQsIebUX3Ieu
qyk+LTT0VsE8xBF9gMIVzd/luM3LaM8WFJaAmXJGPSHnV5jTtQpkT(M)WU927fRQd9bRGDB/V5
(6)1vLjnhh2Lxc9O7gTmqa/FUpiVbVcrJu6Oapz9XBs/ZsonY1jbF1zHHT7gtR45ySI1j
R3NkLgPCLtaLgj92zZ3JT16wWdXF+t58r+KV9hTH9gL(f)oBA8bBaRxk37niSxmL0SyEeh7g	
5DfBgNn4aUQKudQuplsEz1s8QVmYnu/LNsCZuo68nZbIx4NUUb(a)E279rVpBJkNYlDZbdmR
Mkf9cd4zXTysOrsCnTkytpjGchyw==
ARC-Authentication-Results: i=1; mx(.)naver(.)com;
spf=pass (mx(.)naver(.)com: domain of naver-privacy@kakao(.)com designates
220.64(.)108(.)29 as permitted sender) smtp.mailfrom=naver-privacy@kakao(.)com
; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kakao(.)com
Return-Path: <naver-privacy@kakao(.)com>
Received-SPF: pass (mx(.)naver(.)com: domain of naver-privacy@kakao(.)com
designates 220(.)64(.)108.29 as permitted sender)
client-ip=220.64(.)108(.)29; x-iptype=white;
Authentication-Results: mx.naver(.)com;
spf=pass (mx.naver.com: domain of naver-privacy@kakao(.)com designates
220.64.108(.)29 as permitted sender)
smtp.mailfrom=naver-privacy@kakao.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kakao(.)com,kmail-qpsmtp-vm1; auth=pass
(login) smtp.auth=naver-privacy@kakao(.)com
X-Naver-ESV: +rFYp(B)3G1H+qbrJmjAtwjAgdKq2qKXwBjg==
X-Session-IP: 220.64.108(.)29
Received: from kmail-prod-ay-sm1-worker27(.)mail(.)kakao(.)com
(kmail-prod-ay-sm1-worker27(.)mail.kakao(.)com [220.64.108(.)29])
by ??????.nm.naver(.)com with ESMTP id IJ7-oUmpTqWuQPU8v+WBDQ for <??@naver.com> 
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384);
Mon, 18 Mar 2024 04:38:33 -0000,
from kmail-hmailsmtp-ayvm2 ([10.240.29(.)145]) by hermes of
kmail-smail-smtp-normal-prod-5b5b5785fb-qxnf5 (10.240.14(.)172)
with SMTP id s2IDcX(V)LZ337412052 for <?????@naver.com>; Mon, 18 Mar 2024 13:38:33 +0900 (KST),
from kmail-qpsmtp-vm1 ([10.61.242(.)230]) by hermes of
kmail-hmailsmtp-ayvm2 (10.93.101(.)127) with ESMTP id s2IDcVISs1934400305 
for <?????@naver(.)com>; Mon, 18 Mar 2024 13:38:31 +0900 (KST),
from [49.1.239(.)101] (HELO 49.1.239(.)101) (49.1.239(.)101)
by  (8.12(.)9/8.9(.)1) with ESMTPA; ??, 18  3?? 2024 13:38:31 +0900
Errors-To: <naver-privacy@kakao(.)com>
X-Originating-IP: 49.1.239(.)101
Date: Mon, 18 Mar 2024 13:38:31 +0900
To: ??????@naver(.)com
From: =?UTF-8?B?7ZqM7JuQ7KCV6(7)O0IOqzoOqwneyEvO2EsA==?= <naver-privacy@kakao(.)com>
Subject: =?UTF-8?B?W+qzhOygleywqOuLqF0gIO2ct(O)uptOqzhOyglSAgIOygkO(q)ygOyViOuCtA==?=
Message-ID: <aailUXnx9dn4bzNqtfVsZoXMUq6u7M(w)aDQ7r6JAXs@49.1.239(.)101>
X-Priority: 3
X-Mailer: PHPMailer 6.7.1 (https://github(.)com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1=_aailUXnx9dn4bzNqtfVsZoXMUq6u7MwaDQ7r6JAXs"
Content-Transfer-Encoding: 8bit
X-HM-UT: dZYPr+4Ha//vSHt/eztY9XPL4GuDVHHcXR1+LDze0L8=

이메일 헤더 설명

1.ARC-Seal: 이메일의 ARC (Authenticated Received Chain) 서명
ARC는 이메일 전달 과정에서의 인증을 추적하는 데 사용됩니다. 여기에는 전자 서명이 포함
2. ARC-Message-Signature:ARC 서명의 일부로 이메일 메시지에 대한 서명이 포함되어 있음 해당 서명은 이메일 메시지의 무결성을 보장
3.ARC-Authentication-Results**: 이메일 수신 서버에서의 ARC 인증 결과를 나타냄
여기에는 SPF와 DMARC의 결과도 포함
4.Return-Path:이메일이 반송할 주소를 지정 해당 경우에는 naver-privacy@kakao(.)com
5. Received-SPF:이메일 수신 서버에 의해 SPF (Sender Policy Framework) 인증 결과를 보여줌
SPF는 이메일의 송신자를 확인하는 데 사용
6.Authentication-Results:이메일의 인증 결과를 보여줌
여기에는 SPF, DMARC 및 SMTP 인증 결과가 포함
7.X-Naver-ESV,X-Session-IP,Received:각각 다양한 메타데이터 또는 수신된 경로를 설명
8.X-Hermes-Message-Id:카카오 메일 내부에서 사용하는 메시지 ID
X-Kakaomail-MID:카카오 메일 내부에서 사용하는 메시지 ID
Errors-To:오류가 발생했을 때 이메일을 전송할 주소
X-Originating-IP:이메일을 보낸 실제 IP 주소
Date: 이메일이 보낸 날짜와 시간을 나타냄(KST 기준)
To: 이메일 수신자의 주소
From: 이메일 발신자의 주소
Subject: 이메일 제목
Message-ID: 이메일을 고유하게 식별하는 ID
X-Priority:이메일 우선 순위를 나타냄 (3: 정상)
X-Mailer: 이메일을 보내는 데 사용된 프로그램을 나타냄(PHPMailer 6.7.1)
MIME-Version:이메일 내용의 형식을 나타냄
Content-Type:이메일 본문의 유형과 인코딩 방식을 나타냄 (multipart/alternative)
Content-Transfer-Encoding:이메일 본문이 어떻게 인코딩되었는지 나타냄 (8bit)
그리고 네이버 공식 계정에서 발송한 메일에는 발신자 이름 앞에 N 아이콘이 표시되면 네이버 웹 메일 또는 네이버 메일을 사용하지 않으면 해당 부분을 볼 수가 없으니 이메일 주소를 직접 확인해야 합니다.
해당 피싱 사이트를 탐지하는 보안 업체들은 다음과 같습니다.
BitDefender:Phishing
Fortinet:Phishing
G-Data:Phishing

그리드형

공유하기

facebook twitter kakaoTalk kakaostory naver band