Content

Scam targets popular Trade Me auction site

Scammers have unleashed a common phishing attack against users of New Zealand's largest auction website, Trade Me.

About 75 users fell for the fraudulent email, which asks Trade Me members to update their account information, but instead directs them to a spoofed site https://wankdokrc[dot]or[dot]kr/bbs/trademe[dot]php. The cyberthieves use the bogus site to capture passwords.

"There is currently an email circulating that appears to be from Trade Me asking you to confirm your details," the company said Wednesday on its website. "It directs you to a site that looks like Trade Me and asks you to log in. This (email) is not from Trade Me."

The firm, purchased earlier this month for $700 million by John Fairfax Holdings, said users should verify that the Trade Me URL begins with https://www.trademe.co.nz/ each time they log in.

According to Trade Me's Safe Computing Center, the company never asks members to provide their email address, username or password via email.

"Phishers use scare tactics and urgent language to pressure you into submitting confidential data," said a notice on the center's website. "Don't be fooled."

According to the Public Address blog network, Trade Me has about 1.2 million users. The company's internal systems discovered the phishing scheme and advised the affected members to change their passwords.

Some bloggers questioned whether the scam's intent was financially motivated or was conceived by a competitor to attack Trade Me - especially in light of the company's recent sale.

"The bigger question is – why?" Keith Ng wrote on Public Address. "Why would someone want Trade Me passwords? Trade Me does not keep customers' bank account numbers, and their credit cards numbers can only be used to pay Trade Me. So even if I got hold of someone else's login, bought gold bullions on their account, I'd still need to pay for the bloody things (with my own money) before I get my hands on them."

Security experts have said cybercriminals sometimes steal usernames and passwords from one site, hoping they serve as the same login for a banking site.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.