OnPoint by Keith Ng

WARNING: TradeMe Scam in Progress

TradeMe is under attack. More precisely, a "phishing" campaign is targeting New Zealand emails in the hopes of penetrating TradeMe. Why? I don't know...

I received an email entitled "TradeMe Account Security Measures" from TradeMe:

We recently noticed one or more attempts to log in to your TradeMe account from a different IP address.

If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you. However, if you did not initiate the log ins, please visit TradeMe as soon as possible to check-up your account information:

http://www.trademe.co.nz/members/login.aspx

Thanks for your patience.

Sincerely, TradeMe

The last real phishing email I received was purportedly from Westpac. It sounded like it was written by a bunch of Russian teenagers (it probably was), so it didn't stand much of a chance. But this one was good - good grammar, good spelling, got the corporate tone down. It could've fooled me.

Unfortunately for them, I have multiple emails, and my Salient account has never been used for TradeMe. And my trusty open-source email client (Sylpheed-Claws) warned me that the trademe.co.nz link was a fake that took me to http://wandokrc.or.kr/bbs/trademe.php (DO NOT ENTER YOUR DETAILS HERE) instead.

It looks perfect. But then, of course it would, since they just copied the TradeMe page and altered some of the code so that it collects your login details.

I've been trying to do more sleuthing on this, but unfortunately I've reached the limits of my geek prowess, so - and this is one of the experimental aspects of this blog - I'm asking you, dear readers, to help. Think of it as open-source journalism.

[Geekspeak begins]

I'm not sure if there's much of a trail, but so far, I've linked the original email (see below) to a server called www4.pcdc.net. The WHOIS search came up with nothing, so I can't go any further with the email trail. There's a reference to http://adamisasexybitch.us/, but I don't know what to make of it.

The fake login page itself is right here. I've looked through the page source, but have been unable to find where the page is submitting the information to. It's probably because I wouldn't know a Java applet from my arse. Help?

[Geekspeak ends]

Suffice to say, this is obviously a scam to steal your password. And obviously, don't give them your password! Make sure you check the URL bar at the top of your browser. If it doesn't start with http://www.trademe.co.nz, then you're not really at TradeMe.

But the bigger question is - why? Why would someone want TradeMe passwords? TradeMe does not keep customers' bank account numbers, and their credit card numbers can only be used to pay TradeMe. So even if I got hold of someone else's login, bought gold bullions on his account, I'd still need to pay for the bloody things (with my own money) before I could get my hands on them. And I'd need a physical address, which surely is the downfall of any internet criminal.

The worst that I can do is make the user commit to a whole lot of transactions that would never be completed, and to funnel more money into TradeMe. This makes me *very* suspicious.

Given that there is no obvious financial gain, I can only guess that this is an attack on TradeMe itself. Perhaps this has something to do with TradeMe's recent sale. Or perhaps a competitor is trying to discredit TradeMe. Or perhaps there's a way to profit off stolen accounts, but I haven't thought of it yet.

It's more than an act of whimsy, though. The perpetrator was skilled, had access to an email server, and most importantly, had some kind of spam list (a good spam list is worth good money).

And unlike the Westpac scam, this wasn't just a crew that targeted banks everywhere and just chanced upon a bank in New Zealand. They were aiming for TradeMe.

If you've received this email, please drop me a line. Maybe a pattern of who's been receiving it will begin to emerge. And if you've got more information, drop me a line too.

Checking out these fake pages is an interesting exercise, and alerts you as to how a little attention to detail can make it visually indistinguishable from the real thing. Just don't forget to close the page once you're done, lest you forget about it later and try to log on!

And if you're ever in doubt, change your password.

[Email source attached. keith@salient.org.nz is an alias for my Paradise account.]

--start--

Return-Path:
Delivered-To: MUNGED@paradise.net.nz
X-Envelope-To: MUNGED@paradise.net.nz
Received: (qmail 5846 invoked from network); 11 Apr 2006 09:57:50 -0000
Received: from tclsnelb1-src-1.paradise.net.nz (HELO linda-4.paradise.net.nz) (203.96.152.172)
by internal-pop3-2.paradise.net.nz with SMTP; 11 Apr 2006 09:57:50 -0000
Received: from smtp-3.paradise.net.nz
(tclsnelb1-src-1.paradise.net.nz [203.96.152.172]) by linda-4.paradise.net.nz
(Paradise.net.nz) with ESMTP id <0IXJ00K5FYCEYV@linda-4.paradise.net.nz> for
MUNGED@paradise.net.nz; Tue, 11 Apr 2006 21:57:50 +1200 (NZST)
Received: from plus18.host4u.net (plus18.host4u.net [69.94.56.85])
by smtp-3.paradise.net.nz (Postfix) with ESMTP id CD15715B968E for
; Tue, 11 Apr 2006 21:57:49 +1200 (NZST)
Received: from www4.pcdc.net (www4.pcdc.net [66.199.181.4])
by plus18.host4u.net (8.11.6/8.11.6) with ESMTP id k3B9vmR22906 for
; Tue, 11 Apr 2006 04:57:48 -0500
Received: from nobody by www4.pcdc.net with local (Exim 4.52)
id 1FTFd5-00067I-Rs for keith@salient.org.nz; Tue, 11 Apr 2006 05:57:47 -0400
Date: Tue, 11 Apr 2006 05:57:47 -0400
From: mailer@trademe.co.nz
Subject: TradeMe Account Security Measures
To: keith@salient.org.nz
Reply-to: mailer@trademe.co.nz
Message-id:
MIME-version: 1.0
Content-type: text/html
Content-transfer-encoding: 8bit
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname - www4.pcdc.net
X-AntiAbuse: Original Domain - salient.org.nz
X-AntiAbuse: Originator/Caller UID/GID - [99 32339] / [47 12]
X-AntiAbuse: Sender Address Domain - www4.pcdc.net
X-Source:
X-Source-Args: /usr/local/apache/bin/httpd -DSSL
X-Source-Dir: adamisasexybitch.us:/public_html/forums/images/avatars

Dear keith@salient.org.nz
,


We recently noticed one or more attempts to log in to your TradeMe account
from a different IP address.


If you recently accessed your account while traveling, the unusual log in
attempts may have been initiated by you. However, if you did not initiate
the log ins, please visit TradeMe as soon as possible to check-up your
account information:


http://www.trademe.co.nz/members/login.aspx


Thanks for your patience.


Sincerely,
TradeMe


----------------------------------------------------------------


Please do not reply to this e-mail. Mail sent to this address cannot be
answered.


Email ID 376223

--end--