TradeMe users targeted by sophisticated phishing attack

TradeMe says email list didn't come from internal servers

TradeMe customers are being warned of a sophisticated phishing attack that has been launched against the popular online auction site.

A Computerworld reader was surprised to receive an email purporting to be from TradeMe asking for his account details. While most links embedded in the email did match those on TradeMe's own emails, such as those to auxiliary TradeMe sites like Old Friends, the link to the user's details led to a fake site based in the US.

TradeMe managing director Sam Morgan says he has already contacted the American ISP hosting the fraudster's site and it has been removed.

"We haven't heard of anyone being caught by it, but it was definitely sophisticated in its approach."

The email read: "During our regular update and verification of the accounts, we could not verify your current information. Either your information has changed or it is incomplete. As a result, your access to bid, buy or sell on Trade Me [sic] has been restricted. To start using fully your Trade Me account, please update and verify your information." The email included TradeMe's kiwi logo and even its standard disclaimer: "TradeMe will never ask for your password via email".

Morgan says he hasn't bothered the police with the issue, despite the obvious intent to defraud customers.

"The police are very busy and I'm sure they don't want to be bothered by this sort of thing."

However the national manager for the police e-crimes labs, Maarten Kleintjes, says the police certainly do want to hear about such attacks. Speaking to Computerworld earlier this month after TelstraClear reported an attack on its Paradise.Net servers, Kleintjes said the police had developed ties with other national police agencies to better fight online crime.

Even if the hacker were based overseas, Kleintjes says he can contact the police in that jurisdiction to put in place an action plan. "We are part of the G8 sub-group on high tech crime," he says.

"First of all we move to preserve the evidence, so [police] would be in touch with ISPs over there for server logs and get out the preservation orders."

Morgan says the phish was received by a number of TradeMe customers but he's certain the email information did not come from TradeMe servers.

"We've got no idea how he got those addresses but we're confident it wasn't from us. We've got people who use the service with 5,000 feedbacks about auctions so maybe he's compromised their machine and got the emails that way."

Morgan said TradeMe was preparing a "security centre" page for the website to better educate users to the dangers of such things.

"Given our scale in the New Zealand internet we need to be a bit more on the front foot in terms of educating general internet users about keeping themselves safe."

A TradeMe newsletter has been sent out highlighting the danger of phishing attacks in particular, which aren't necessarily delivered by email, Morgan says.

"People get these things through various mechanisms. They get them directly through email but they also get them through [instant] messaging and all sorts of things."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags phishingtrademe

More about G8MorganParadiseTelstraClearTrade Me

Show Comments