TradeMe phishing scams - from 5 June 2011

Phishing scams, hijacking of TM accounts, keyloggers and all manner of other nasties. This is the place to report them and get help if you've been hit.
Post Reply
User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

TradeMe phishing scams - from 5 June 2011

Post by digidog » Sun Jun 05, 2011 6:56 am

From: Trade Me <noreply@safetrader.co.nz>
Subject: Trade Me - Your account has been suspended

Dear Trade Me user,



Trade Me always looks forward for the high security of our clients. During
our regularly scheduled account maintenance and verification procedures,
we have detected a slight error in your account information.This might be
due to either of the following reasons:



1. A recent change in your personal information.

2. Submitting invalid information during the initial sign in process.



Due to this, you are requested to please update and verify your
information below:



http://trade-me-online.net/?Account/Restore.hml" onclick="window.open(this.href);return false;
[ Caution: Live phishing site ]


We thank you for your prompt attention to this matter. Please understand
that this is a security measure intended to help protect you and your
account. We apologize for any inconvenience.



J. S. Smith

Security Advisor

Trade Me Ltd.



Trade Me - An Urgent Warning
The link goes to an Italian site which currently has this message.
Sito web in manutenzione

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Tue Jun 07, 2011 12:45 am

Here's yet another phishing scam following up on yesterday's one. Note that this scam uses a
redirect from twohandsdancing.com to the actual phishing site at thewritersheart.com.
Subject: Please restore your online access!

Security Note: Trade Me will never ask you for your password via email

We regret to inform you that if you did not re-update your account information, your Trade Me
account will be suspended for a period of 3-4 days and as result it will be terminated.

Also we regret to inform you that if you don't re-update your account, you have to register a
new one and this will require a new registration fee.

For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend,
indefinitely suspend of terminate your membership and refuse to provide our services to you if
we belive that your actions may cause financial loss or legal liability for you, our users or us.

Please continue here and login to your account in order to re-update it.
Links to: http://trademe.co.nz.Members.Login.aspx ... ancing.com" onclick="window.open(this.href);return false;
Careful - this is a live phishing site!


Our customer support team is also available to help address any concerns you have. If you're
not sure if a message you've received is genuinely from Trade Me just get in touch with us via
the contact us link on the site. We'll be happy to confirm if the email you've received is from
us or not.

Happy trading!

The Trade Me Team
http://www.trademe.co.nz" onclick="window.open(this.href);return false;

User avatar
Googlybear
Members
Posts: 2108
Joined: Mon Feb 19, 2007 10:51 am
Location: Auckland

Re: New TradeMe phishing scam - 5 June 2011

Post by Googlybear » Fri Jun 10, 2011 8:19 am

and another try
Change of email address request


Thank you for submitting your change of email address request.
Instructions on completing the change have been sent to your new email address. Once the process is completed, your TradeMe-related email will no longer be routed to this email address.

If you did not make this change, check with family members and others who may have access to your account first.
If you still feel that an unauthorised person has changed your email,
get help here:


Change of email address request was made from:
IP Address: 121.98.238.157
ISP Host: 121.98.238.157
The active Link is http://161.58.109.173/imanager.bak/labe ... /index.php" onclick="window.open(this.href);return false;
Website was active this afternoon but is now removed

One of the worst ones.
No TM Graphics or Links (apart from the phish link)
poor formatting
Some idiot will still be duped though. :?

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: New TradeMe phishing scam - 5 June 2011

Post by Foggyone » Fri Jun 10, 2011 7:00 pm

I'm not sure what happened to you, but the copy of the email sent to me was well formatted, and had TM logo. It looked quite professional. Perhaps you were not viewing it with the benefit of HTML.

The phish itself, hosted on a compromised site (Herbion.com), looked to phish both Trademe login credentials and also credit card details. This was likewise well produced. The site has been deleted this morning.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Todays Example

Post by Foggyone » Mon Jun 13, 2011 3:06 am

Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Mon Jun 13, 2011 3:24 am

I've just received FOUR (count em) phishing emails targeting TradeMe. The first two are similar
to the last one I posted (above) and lead to this site:

Careful: live phishing site
http://trademe.co.nz.members.login.aspx ... anels.org/" onclick="window.open(this.href);return false;

The other two merely say that TM hasn't received "the forms" and urges me to complete them
asap. Oddly, there are NO live phishing links in the last two.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: TradeMe phishing scams - from 5 June 2011

Post by Foggyone » Mon Jun 13, 2011 3:34 am

Alf

Your posting is down already.

Looks like it's make hay time.

The one I posted is still live, stealing both Bill Gates Trademe login, and also looking for credit card details (not supplied, I don't think Bill could afford being robbed).
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Mon Jun 13, 2011 5:46 am

I'm impressed. I received an email from TM saying that I'd visited a phishing site and
my membership was temporarily suspended until I ring an 0800 number. Erin was very
pleasant to deal with and after ascertaining that I definitely had not entered any info
on the phishing site had me up and running again in seconds.

Well done TradeMe!

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: TradeMe phishing scams - from 5 June 2011

Post by Foggyone » Mon Jun 13, 2011 7:46 am

Digidog wrote:I'm impressed.
Well, I;m not. I went through the whole thing and landed back onto TM without so much as a whisper.

No account, and no cookies enabled for TM may have a bearing. Anyone without cookies enabled for TM would NOT get contacted, and have been left out to dry. I still maintain that education is the key, and TM are in a key position to do so. They've done a little, but I believe they missed the boat.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Mon Jun 13, 2011 8:20 pm

If you weren't logged in TM couldn't lock your account. And a serial cookie deleter like yourself
would not be IDed on the TM system.

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Sun Aug 21, 2011 7:35 pm

Security Note: Trade Me will never ask you for your password via email

We regret to inform you that if you did not re-update your account information your Trade Me account will be
suspended for a period of 3-4 days and as result it will be terminated.

Also we regret to inform you that if you don't re-update your account, you have to register a new one and this
will require a new registration fee.

For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely
suspend of terminate your membership and refuse to provide our services to you if we belive that your actions
may cause financial loss or legal liability for youi, our users or us.

Please click here and login to your account in order to re-update it.


Happy trading!

The Trade Me Team
http://www.trademe.co.nz" onclick="window.open(this.href);return false;




 advertisement
Link leads to:
Careful: live phishing site
http://trademe.co.nz-members-login.aspx ... ology.com/" onclick="window.open(this.href);return false;

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: TradeMe phishing scams - from 5 June 2011

Post by Foggyone » Sun Aug 21, 2011 8:18 pm

The above is very clever in the use of a long URL. The URL looks OK in the browser address bar, but the telltale portion is hidden off the end of the address block (at least in a 1024x768 screen resolution).

I see from the page source they have stripped out the site counter code. This is usually left in.

Just another in a long line of hijacked sites, looking to hijack TM credentials. Must still be value in doing this.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Sun Sep 18, 2011 2:37 am

Another TradeMe phishing scam using a long URL to obscure the actual address. It's iliterate (note the
"belive" and "youi") and hosted in the US.
Security Note: Trade Me will never ask you for your password via email

For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend
of terminate your membership and refuse to provide our services to you if we belive that your actions may cause
financial loss or legal liability for youi, our users or us.

Please click here and login to your account in order to re-update it.

Happy trading!

The Trade Me Team
http://www.trademe.co.nz" onclick="window.open(this.href);return false;
Care: live TM phishing site
http://trademe.co.nz-members-login.aspx ... iness.com/" onclick="window.open(this.href);return false;

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: TradeMe phishing scams - from 5 June 2011

Post by Foggyone » Sun Sep 18, 2011 4:05 am

Rerun from May.

Must have been successful last time, otherwise they would not be reusing.

Goes to a phish to grab credit card details, then to a thank you page (even if no details are input), then drops through to Google.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: TradeMe phishing scams - from 5 June 2011

Post by digidog » Thu May 02, 2013 7:13 am

It's been quiet for the last eighteen months... far too quiet Carruthers! But finally another TM phishing email is doing the rounds. After all, when you have a huge list of TM email addresses, what else can you do with them? This one begins with...
Dear (Member), We believe someone may have tried to access your Trade Me membership without your approval. As a security precaution we have temporarily restricted access to your membership, although all your listings are still live on the site.

It then asks users to go to a phishing site to "update" their password and hand over their TM credentials to the scammers.

http://www.nzherald.co.nz/nz/news/artic ... d=10881164" onclick="window.open(this.href);return false;

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest