Mike O'Donnell, Head of Business at TradeMe, confirms that a phishing attacking is doing the rounds, but says that only around 75 TradeMe users have had their passwords stolen. Presumably a great deal more people received the email, but O'Donnell says that users are wising up and becoming less likely to be suckered in.
The compromised accounts were picked up by TradeMe's own internal systems that specifically detects accounts that have been hijacked by phishers (phishermen?), though O'Donnell wouldn't tell me how they work, as that would allow them to be circumvented.
O'Donnell also makes the point that TradeMe has 1.2 million users, and that only 75 were affected. All the flagged users have been contacted to have their passwords changed.
I've had a fantastic response to this issue. Thanks to everyone who wrote in.
Matt Nippert, formerly of the Hutt, suggests one way of scamming these accounts:
How's about listing expensive items for sale (you know, microdot cellphones, wall-size televisions), collecting the money and not delivering?
Usually, people are suspicious of first-time sellers trying to fence heaps of pricey goods - the trade history acts as quite a good incentive for good behaviour. But if you can steal an account with a track-record of credibility? You're home and hosed."
TradeMe deals in trust, so it makes sense for people to try to "steal" that trust. However, you'd still need to collect the money. I suppose a fake bank account is possible (though requiring a whole lot of effort and a different criminal skill-set); or you could get people to send cheques.
Alf West, over at Scambusters, cites one case where this problem was avoided by the scammer skipping the country - after collecting almost $21,000 from TradeMe buyers.
West suggests that it may be the work of a Romanian group that Scambusters have been following. This group usually posts fake auctions and requires you to wire the money via Western Union. The site also has a range of other documented TradeMe scams.
A few readers suggest that the aim may not be TradeMe itself. Many users use the same passwords for all their transactions, and so having access to their TradeMe passwords may allow them to get access to other accounts.
Duane Griffin, however, points to a more insidious possibility - extortion.
My guess would be a good old-fashioned protection racket. TradeMe gets a note saying, 'Nice business you got there. Shame if something was to happen to it'. Apparently this sort of thing is quite common in certain sectors, although the attacks are usually DDoS campaigns. See, for example,
[this story on cyber extortion]."
It's a very interesting suggestion - especially since TradeMe is now owned by a big-ass multinational sugar-daddy with deep pockets. However, Mike O'Donnell says emphatically that TradeMe has never been the victim of extortion attempts.
[Geekspeak begins]
Heather Gaye explains that fake page is only generated by a programme on the server, and the captured password is processed by this programme.
Since the code is invisible to anyone without access to the web server, it's not really possible to work out exactly what's happening to your details. Mind you, most likely the culprit (excluding the possibility that they're a shit-hot hacker) has admin rights to that server, so if you can find a Korean scuba-diving enthusiast to help with the translation, you might be able to track down your culprit, or at least follow the breadcrumbs a little further."
Mark Montgomerie also notes that the email server is a known spam server.
Duane Griffin sums it up:
Probably not much point trying to follow the email trail, most likely it will just lead to innocent but insecure third-parties. The host harvesting the details also looks like a cracked 3rd party server. The site it is on seems to be a legit company.
The page is being generated by a PHP script and it is just sending the details to itself. What the script then does with it is impossible to tell without cooperation from the server admins or their ISP. TradeMe's security team and/or the cops will no doubt be looking into that as a matter of urgency. If the attackers are sensible they will be sending the data somewhere they can pick it up untraceably, though. If they are smart they will be virtually impossible to trace."
[Geekspeak ends]