Cybersecurity: Phishing Campaign Targeting South Korean Internet Users
A sophisticated phishing campaign attributed to the North Korean threat actor known as Kimsuky is targeting South Korean internet users. The campaign involves malicious emails impersonating official notices from the National Tax Service (NTS) regarding a “September Tax Return Payment Due Notice.” These emails urge recipients to click a link to view an electronic document.
Email Characteristics and Infrastructure
The phishing emails use personalized information to enhance credibility, posing a significant risk to Naver account holders. The email’s subject line mentions a payment deadline: “September Tax Return Payment Due Notice (Verification Deadline: August 31, 2025, 11:59 PM).” Although the email claims to be from the NTS, its sending infrastructure is traced to the Mail(.ru) network, indicating a compromised or rented server resource outside South Korea. Detailed header analysis reveals:
- Return-Path and Envelope-From fields are set to schimmel2025@list[.]ru.
- Sender server hostnames include send174(.)j.mail(.)ru → 95[.]163[.]59[.]13, differing from legitimate NTS mail servers.
- SPF checks pass for the ru domain, DKIM signatures validate using mail4 selector, and DMARC policy p=REJECT is honored, showing the mail was transmitted through Mail(.ru) infrastructure.
- ARC headers indicate the message passed through an authenticated chain with no anomalies.
Time-zone discrepancies further reveal the campaign’s origin. Naver received the email at 16:00:44 UTC on August 25, 2025, while the sender’s server logged dispatch at 19:00:40 +03:00. In Korean time (UTC+9), the mail header timestamp reads August 26, 2025, 01:00:36, aligning with the Moscow time zone rather than Seoul.
Phishing Link Analysis
The domain server-on[.]net is unaffiliated with the NTS. Analysis of the URL’s query string shows a percent-encoded parameter combining Base64 and ROT13 encodings, which, when partially decoded, reveals the recipient’s actual email address. This personalized token indicates targeted phishing.
The table below summarizes the key indicators of compromise (IOCs):
| Indicator Type | Value |
|---|---|
| Sender Email Address | schimmel2025@list[.]ru |
| Sender IP | 95[.]163[.]59[.]13 |
| Sender Mail Server Hostnames | send174(.)j.mail(.)ru → 95[.]163[.]59[.]13 |
| Phishing Domain | n-info[.]bill-nts[.]server-on[.]net |
| Query Parameter Encoding | Percent-encoded + Base64/ROT13 mixture |
| Embedded Recipient Identifier | ???@naver[.]com |
Victims who click the link are prompted to log in with Naver credentials, which are then harvested by the attackers. The personalized nature of the query string complicates automated defenses, highlighting the need for careful manual verification.
Mitigations
Users should avoid clicking links in unsolicited emails, even if they appear to be from trusted government agencies. Instead, they should navigate directly to the official National Tax Service website or the official Naver electronic document portal. Verify the sender’s email address by examining the envelope-from fields in the mail headers.
Organizations should implement URL-sandboxing defenses and deploy machine-learning threat detection to flag uncommon domain patterns and sophisticated encoding in URLs. Continuous security awareness training, combined with robust email filtering and header analysis, will help prevent targeted intrusions before they compromise user accounts.
-
Expense Apps Add Budgeting for Irregular Incomes
In an era where the gig economy is burgeoning, traditional budgeting methods ... -
-
-
