Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
About 75 users fell for the fraudulent email, which asks Trade Me members to update their account information, but instead directs them to a spoofed site http://wankdokrc[dot]or[dot]kr/bbs/trademe[dot]php. The cyberthieves use the bogus site to capture passwords.
"There is currently an email circulating that appears to be from Trade Me asking you to confirm your details," the company said Wednesday on its website. "It directs you to a site that looks like Trade Me and asks you to log in. This (email) is not from Trade Me."
The firm, purchased earlier this month for $700 million by John Fairfax Holdings, said users should verify that the Trade Me URL begins with http://www.trademe.co.nz/ each time they log in.
According to Trade Me's Safe Computing Center, the company never asks members to provide their email address, username or password via email.
"Phishers use scare tactics and urgent language to pressure you into submitting confidential data," said a notice on the center's website. "Don't be fooled."
According to the Public Address blog network, Trade Me has about 1.2 million users. The company's internal systems discovered the phishing scheme and advised the affected members to change their passwords.
Some bloggers questioned whether the scam's intent was financially motivated or was conceived by a competitor to attack Trade Me - especially in light of the company's recent sale.
"The bigger question is – why?" Keith Ng wrote on Public Address. "Why would someone want Trade Me passwords? Trade Me does not keep customers' bank account numbers, and their credit cards numbers can only be used to pay Trade Me. So even if I got hold of someone else's login, bought gold bullions on their account, I'd still need to pay for the bloody things (with my own money) before I get my hands on them."
Security experts have said cybercriminals sometimes steal usernames and passwords from one site, hoping they serve as the same login for a banking site.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.