This analysis focuses on a phishing email disguised as a notification from Naver regarding a content removal due to alleged defamation. The email attempts to deceive the recipient into clicking a malicious link by creating a sense of urgency regarding the removal. The use of a legitimate-looking email header adds to its credibility. Affected: Naver users
Keypoints :
- The phishing email claims that the recipient’s content has been temporarily removed for allegedly defaming someone.
- A link is provided in the email that redirects to a phishing site.
- The email includes a deceptive subject line urging immediate action.
- Analysis of the email header shows it was sent from a recognizable domain, lending credibility to the phishing attempt.
- Legitimate protocols like SPF, DKIM, and DMARC were passed, complicating detection.
MITRE Techniques :
- Phishing (T1566) – The email disguises itself as a legitimate notification from Naver to trick recipients into clicking on malicious links.
- Exploitation for Client Execution (T1203) – The phishing link is designed to exploit the user’s trust, leading them to provide sensitive information.
Indicator of Compromise :
- [URL] hxxps://blog(.)naver(.)com/??????/2131275326???
- [URL] hxxp://niduser.www.dns.checkinfo.n-sign(.)o-r(.)kr/bloguser/?q=viewInputPasswdForMyInfo&menu=security&wreply=Y2xvdmVyZmFueUBuYXZlci5jb20=&m=https%3A%2F%2Fnid.naver.com%2Fnidlogin(.)login%3Furl%3Dhttp%253A%252F%252Fmail.naver(.)com%252F
- [Email Address] msquare@internet(.)ru
- [IP Address] 95.163.59.118
- [Hash] f44e601afc0435f417ba5d30b4f600f7@118.194.249.171 (Message-ID)
Full Story: https://wezard4u.tistory.com/429415
Views: 41
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português