Phishing scam targeting Trade Me accounts

Forums › Off topic › Phishing scam targeting Trade Me accounts

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#18676 19-Jan-2008 08:03

After a long time without visiting Trade Me last night I searched for a MCE Remote Control. I placed an autobid and some time at 12:35am I was outbid.

At 12:37am I received an email pretending to be from Trade Me asking to click to confirm personal information. The link actually went to

These are the e-mail headers:

Microsoft Mail Internet Headers Version 2.0
Received: from mail.monthisa.com ([80.251.74.30]) by [my exchange IP] with Microsoft SMTPSVC(6.0.3790.3959);
Sat, 19 Jan 2008 00:36:37 +1300
Received: from server ([70.147.192.43]) by mail.monthisa.com with Microsoft SMTPSVC(6.0.3790.1830);
Fri, 18 Jan 2008 12:36:34 +0100
From: "Trade Me"
Subject: Trade Me -- Important Message
Date: Fri, 18 Jan 2008 05:30:18 -0600
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: x.x@xxx.xxx
Message-ID:
X-OriginalArrivalTime: 18 Jan 2008 11:36:34.0753 (UTC) FILETIME=[6119B310:01C859C6]

The link redirected to this fake page: http://211.47.66.161/~test1/trade.co.nz/index.html (URL not linked to prevent people actually entering personal infomation there).

Note it's a phishing scam, do not enter your information there.

I contacted Trade Me through their form, but surprisiginly there's nowhere to report scams or phishing attempts. Of all options there is none related to security or safety. I will report back their findings.

wazzageek

1093 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#105640 19-Jan-2008 08:47

I assume that the "abuse@" email address works for trademe?

In the past most of the phishing attacks that have been filtered through to me have been banks - in which case I normally phoned them directly on the customer services line - originally I used to explain briefly why I was ringing and ask to be put through to someone who can deals with internet security. Now, the banks have educated the people on the helpdesk (to the point where they are trying to protect you, even if you don't bank with them).

Ordinarily, I would also contact either the hosting provider as well to inform them of the links (if they were still active at the time) - or I would try to contact the block owner (and let it filter down to the right person).

Once that is done, I generally do not expect a response - particularly from the bigger US players, who general respond with "It's been dealt with, but we can't give you any more information than that due to privacy concerns ..."

NZNOG used to discuss phishing attacks from time to time - I haven't been lurking there for a while now, so I couldn't say whether they really do or not. (Their archives are also available online)

Generally, the region where the page is hosted I haven't had much luck in getting responses.

My 2c.

UPDATE: I visited the trademe website - clicked through to "Help", then the "Safe computing centre". There they have a link for phishing emails and at the bottom of that page is (I've replace the at symbol:

Please forward any phishing emails or fake Trade Me websites to abuse[at]trademe.co.nz

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#105642 19-Jan-2008 09:16

Thanks for the information. I've forwarded the message and header information to the abuse address.

The block and host ares in South Korea so I won't go there - Trademe has just sent me an automated response so let them deal with it now.

NokiaRocks

364 posts

Ultimate Geek

Trusted

#105644 19-Jan-2008 09:43

I've entered in some fake information. Hopefully if nothing else it will slow them down for a bit.

ajobbins

5052 posts

Uber Geek

Trusted

#105652 19-Jan-2008 10:41

Site is flagged as a phishing site in IE7. Have just reported to FF (Although it already would have been done, the more reports the faster they will flag it (I assume))

manhinli

2483 posts

Uber Geek

Trusted

#105653 19-Jan-2008 10:50

I got it too - except my family (yes, it's a family account) signed up using my mum's email and not mine. Nice try [insert your worst analogy of a hoaxer].

I left them a message.

Find me on Twitter!

I posted 1, 2 x 10^3 times!

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#105698 19-Jan-2008 17:06

Ok, so I got a reply from Trade Me support - which I contacted before sending the message to the abuse address:

Dear Mauricio,

Thanks for contacting us.

The message you have received is not genuine.

If you have entered your Trade Me login details into the bogus site, please change your password through the My Trade Me page as soon as possible.

Otherwise please delete the email from your inbox.

Hmmm. Hello, thanks for the canned reply but did you spend more than five seconds reading my original message?

In my first e-mail I explicityl said "I've received a phishing e-mail, here is the information, the address, could you please take action".

I didn't ask if the message was genuine or not. I had already asserted that. I was notifying their contact centre and asking them to take action, not asking for advice.

People don't read emails. People don't understand questions. People reply with canned responses.

By the way, this is exactly the reply I told my wife I would get. How could I be so right? It seems all CSRs, from any company, go for the same training...

manhinli

2483 posts

Uber Geek

Trusted

#105700 19-Jan-2008 17:19

I think unlike banks, that when a affected/scammed user tells Trade Me, that they don't need to deal with the many issues involved in shutting down an account. E.g. Losses and money.

So they just post an announcement that phishers have scammed X number of users and that they should contact them immediately and learn from it - like those infrequent bank login messages warning of 'recent' attacks.

Find me on Twitter!

I posted 1, 2 x 10^3 times!