Go to contents

N. Korea sends hacking emails using fake accounts

Posted May. 26, 2023 07:55,   

Updated May. 26, 2023 07:55


North Korea has been revealed to have sent approximately 68% of the "hacking emails" targeting individuals and organizations in South Korea over the past three years by impersonating officials from domestic portal sites such as Naver and Kakao.

On Thursday, the National Intelligence Service (NIS) released a report titled "Cyber Attacks and Damages by North Korean Hacking Organizations from 2020 to 2022," containing such information. According to the NIS, the most prevalent method used by North Korea in hacking attacks was through email, accounting for 74% of the cases. North Korean hacking organizations would send emails disguised as if they were from the administrators of portal sites like Naver, and upon clicking on the email, malicious codes would be implanted in the victim's computer, or their account information would be extracted. Other methods employed by North Korean hackers included exploiting vulnerabilities in computer security programs (20%) and spreading malware through "watering hole" attacks, where users are lured into accessing specific websites (3%).

Among the institutions most frequently impersonated by North Korea in the hacking emails, Naver topped the list with 45%, followed by Kakao with 23%. Financial, corporate, broadcasting, and media entities accounted for 12%, while diplomatic and security-related institutions made up 6%. Particularly, North Korean hacking organizations cleverly modified one or two characters in the official names of companies, such as“Neiver Customer Center,” and used these modified names as the sender's name in the emails. The subject lines of these emails included phrases like "The usage of your account has been restricted" or "Overseas login blocking has been activated." Additionally, North Korea attempted to deceive individuals and organizations who opened the emails by urging them to click on buttons such as "Register your account again" or "Delete cookies," thus allowing the hackers to steal personal information. The email addresses of the senders were also disguised as "Navor" or "Daurn," aiming to trick users into opening the emails unknowingly.

"Even if the sender's name in the email is the same as 'Naver,' the icons for legitimate emails and hacking emails are different," an official from the NIS advised. "It is crucial to verify whether an 'administrator' icon is attached to the sender's name and whether the sender's email address is correct."