네이버 메일 내게쓴 메일함 해킹? 스팸? this account has been hacked! Change all your passwords!

OS환경 : Windows 10 pro 64bit

스팸메일 : this account has been hacked! Change all your passwords!

어느날 네이버 메일함을 보니 내게쓴 메일함에 내 계정이 해킹되었다는 메일이 와있었다.

매일은 아래와 같다.

====받은 메일=====

제목 : this account has been hacked! Change all your passwords!
I have bad news for you.
19/07/2018 - on this day I hacked your operating system and got full access to your account -----0@naver.com
 
It is useless to change the password, my malware intercepts it every time.
 
How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.
 
After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
 
A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I'm talking about sites for adults.
 
I want to say - you are a big, big pervert. You have unbridled fantasy!!!
 
After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I made a screenshot of your joys (using the camera of your device) and joined all together.
It turned out beautifully, do not doubt.
 
I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $748 is a very small amount for my silence.
Besides, I spent a lot of time on you!
 
I accept money only in Bitcoins.
My BTC wallet: 1H9bS7Zb6LEANLkM8yiF8EsoGEtMEeLFvC
 
You do not know how to replenish a Bitcoin wallet?
In any search engine write "how to send money to btc wallet".
 
It's easier than send money to a credit card!
For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!
 
After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".
 
I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.
 
P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
 This is a hacker code of honor.
 
From now on, I advise you to use good antiviruses and update them regularly (several times a day)!
 
Don't be mad at me, everyone has their own work.
Farewell.

====받은 메일=====

메일을 요악하면 

[니계정은 해킹되었으니 니가 사진 사진, 웹사이트(뭐 이상한걸 말하는듯)들을 

지인들에게 공유해버리겠다.

그걸 원치않으면 비트코인 지갑으로 돈을 송금해라] 인데

내게쓴메일함에 이게 있어서 처음에는 잠깐 당황했다. 

하지만 결론은 이것은 그냥 스팸 메일일 뿐이니 무시하면된다.

이제 메일을 받고 내가 찾아본걸 작성해보겠다.

1. 먼저 내게쓴 메일함에 저런 메일이 들어가 있어서

해커가 내 계정을 해킹해서 내게쓴 메일함에 메일을 쓴건가? 라고 생각했다.

해킹 했다는 날짜가 18년07월19일이다. 게시글 작성시간은 18년11월20일 90일이 지난 후 메일을 작성한듯하다.

2. 그래서 내 네이버 보안 설정에 들어가 내 활동 기록으로 

이 날짜에 내 계정에 수상한 로그인이 있나 찾아보려했다.

그런데 최대 90일까지만 보관됩니다. 라는 문구가 적혀있었다.

해커들이스팸메일을 보낸놈들이 이걸 알고 메일을 보낸듯하다.

3. 90일 까지만 보관되니 이방법으로는 누가 접속한지 찾을수가 없다.

그래서 보통 일반인들을 진짜 해킹을 당했구나 라고 생각할수도있다.

하지만! IT를 하는 사람은 아니 이 게시글을 읽은사람은 더이상 그렇게 생각하지말고

아래 방법대로 천천히 따라해보면 해킹 당한게 아니란걸 깨닫게된다.

3-1. 해킹당했다는 그 메일에서 ... 을 눌리면 원문보기라는 메뉴가 나오는데 그걸 클릭해서 열어준다.

그럼 아래처럼 원문이 나오는데 거기서 recived 부분을 확인한다.

-------메일 원문보기 전체------

ARC-Seal: i=1; a=rsa-sha256; d=naver.com; s=arc-20180730; t=1542619630;
   cv=none; b=FugIQNGT1CzbkGIfXFsPa27OO8EymC/o/Bh9ACx/Do3B6lHtXj+3XI72YuY5
    +bSid06Vpo/4vCOspBDFTf6E6l/2RuvzdYuxUeHomey2l0704JXlsfcp77y+/F8HaPaaIj
    ardoCpUw0iKJa+ahrf9NfFS9PJTM85h7j1WfynOrT5Zi9BOvoW2rFD4b3XXYfTmiHABdCR
    1ZtJhkFpmK5YEeslItb50gCiBJIHOd7/TsEykyuz6y5+Dq9BddlsqOmPnTND2lIcOmIoWF
    x9wwQhiI/YD2sRPebUXBDoH+ZPddjLTQyGX678+9/J2YvruIxvgVQGE30J78jUuMW70Xux
    gQ==
ARC-Message-Signature: i=1; a=rsa-sha256; d=naver.com; s=arc-20180730;
   t=1542619630; c=relaxed/relaxed;
   bh=sZThefRca/PbZbEqO7xg0PfyZGdQK8ayNS9eVyqY6MQ=;
   h=message-id:from:to:subject:date; b=iHtDHtQGICr+4MOXBeB43MbBVCMra7dRey
    f1Vx/U1Rhn+Thr2MNeK0riOttwxhcVU8UnKXgueNvmr6rkGY77CKB8H43WXtcdBXNSJxKO
    qxnEix+o7i5sXv+6ekpgXBc08K8E/loz25lkEQwOEo8Ss6r/t7DlauAzsUqwcl8Iq/w7yi
    Og/MBVMaGmcxv+S8i+XHb8nFup28NgXHKHWDXvYrQAC8SmMRu9Sn8/iYoGGCknKK6FfHSA
    s42P6Uh2xl8Xrdc2yPKhmLsfMi+hWsoqqbO9gWfiTd489ZJT4PCS0XiOxtbnuxhaWsaNVP
    p27gvjvYedLJ70O7GmLsxr0yevoA==
ARC-Authentication-Results: i=1; mx.naver.com; 
  spf=softfail (mx.naver.com: domain of transitioning -----0@naver.com does not designate 81.43.97.28 as permitted sender) smtp.mailfrom=-----0@naver.com
X-Suspicious-Sender: yes
Received-SPF: softfail (mx.naver.com: domain of transitioning -----0@naver.com does not designate 81.43.97.28 as permitted sender)
  client-ip=81.43.97.28; x-iptype=default;
Authentication-Results: mx.naver.com;
  spf=softfail (mx.naver.com: domain of transitioning -----0@naver.com does not designate 81.43.97.28 as permitted sender) smtp.mailfrom=-----0@naver.com
X-Naver-ESV: wsen+6J4p634WXFY7Bwd+zpC16wYKAvZFqumjJ+Y
X-Session-IP: 81.43.97.28
Received: from 28.red-81-43-97.staticip.rima-tde.net (28.red-81-43-97.staticip.rima-tde.net [81.43.97.28])
  by crcvmail14.nm.naver.com with ESMTP id m4GJHsNwRV+48QZIrG+j+g
  for <-----0@naver.com>;
  Mon, 19 Nov 2018 09:27:10 -0000
Message-ID: <21F46B141ABE8B65B02F505EFACF21F4@3432P4K>
From: <-----0@naver.com>
To: <-----0@naver.com>
Subject: -----0@naver.com - this account has been hacked! Change all your passwords!
Date: 19 Nov 2018 08:10:07 -0100
MIME-Version: 1.0
Content-Type: text/plain;
   charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
 
Hello!
 
I have bad news for you.
19/07/2018 - on this day I hacked your operating system and got full access to your account -----0@naver.com
 
It is useless to change the password, my malware intercepts it every time.
 
How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.
 
After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
 
A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I'm talking about sites for adults.
 
I want to say - you are a big, big pervert. You have unbridled fantasy!!!
 
After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I made a screenshot of your joys (using the camera of your device) and joined all together.
It turned out beautifully, do not doubt.
 
I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $748 is a very small amount for my silence.
Besides, I spent a lot of time on you!
 
I accept money only in Bitcoins.
My BTC wallet: 1H9bS7Zb6LEANLkM8yiF8EsoGEtMEeLFvC
 
You do not know how to replenish a Bitcoin wallet?
In any search engine write "how to send money to btc wallet".
It's easier than send money to a credit card!
 
For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!
 
After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".
 
I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.
 
P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
 This is a hacker code of honor.
 
From now on, I advise you to use good antiviruses and update them regularly (several times a day)!
 
Don't be mad at me, everyone has their own work.
Farewell.

-------메일 원문보기 전체------

3-2. recived 부분을 확인하면 아래와 같이 이상한 주소가 있음을 확인할 수 있다.

이 주소를 구글에 검색해보면..

3-3. 이렇게 스팸리포트 관련 글이 나온다. (Spam report~~~)

저 스팸을 보내는곳이 81.43.97.xx 대역인가보다.

3-4. 더 알아보기 위해 내 메일에 있던 IP를 후이즈 IP에서 검색을 해보았다.

(https://xn--c79as89aj0e29b77z.xn--3e0b707e/kor/main.jsp)

3-5. 그 결과는 아래와 같았다. (뭐 그냥 해외IP다)

4. 참고로 내게쓴 메일은 보낼때도 보내기라고 안나오고 저장이라고 나온다.

그래서 실제로 아래와 같이 메일을 저장하고 원문보기로 보면 recived란이 없다.

4-1. 원문보기

4-2. 또 메일로 평문으로 되어있지않고 base64로 인코딩 되어있다.(스팸 메일은 그냥 평문으로 와있음)

왼쪽이 테스트메일, 오른쪽이 스팸메일

5. 이렇게 스팸메일이 오면 당황할 수 있는데 이글을보고 입금하는 일이 없었으면 좋겠다.

그리고 네이버 메일 환경설정에 보면 아래처럼 

내 네이버 메일 주소를 사칭한 메일이 있으면 스팸으로 자동 분류 라는 메뉴가 있다.

이걸 체크해두면 더이상 이런 스팸 메일은 받지 않을 수 있다.

게시글에 -----0@naver.com로 해놓은것과 파란색 박스로 가린건 내 메일주소와 IP이다.

결론 : 1. 이 메일은 그냥 스팸 메일일 뿐이니 무시하면된다.

         2. 더이상 이런 메일을 받기 싫으면 환경설정에서 위 분류항목을 체크하면 된다.

참조 : http://devotionnoath.tistory.com/217

https://help.naver.com/support/contents/contents.help?serviceNo=2342&categoryNo=15030&fbclid=IwAR0OpXTd-yzlM3p2oC_RwkvRUg8TilYL8bo0h33EaVjqPzPH5ZlfYQQWVxo