About 75 users fell for the fraudulent email, which asks Trade Me members to update their account information, but instead directs them to a spoofed site http://wankdokrc[dot]or[dot]kr/bbs/trademe[dot]php. The cyberthieves use the bogus site to capture passwords.
"There is currently an email circulating that appears to be from Trade Me asking you to confirm your details," the company said Wednesday on its website. "It directs you to a site that looks like Trade Me and asks you to log in. This (email) is not from Trade Me."
The firm, purchased earlier this month for $700 million by John Fairfax Holdings, said users should verify that the Trade Me URL begins with http://www.trademe.co.nz/ each time they log in.
According to Trade Me's Safe Computing Center, the company never asks members to provide their email address, username or password via email.
"Phishers use scare tactics and urgent language to pressure you into submitting confidential data," said a notice on the center's website. "Don't be fooled."
According to the Public Address blog network, Trade Me has about 1.2 million users. The company's internal systems discovered the phishing scheme and advised the affected members to change their passwords.
Some bloggers questioned whether the scam's intent was financially motivated or was conceived by a competitor to attack Trade Me - especially in light of the company's recent sale.
"The bigger question is – why?" Keith Ng wrote on Public Address. "Why would someone want Trade Me passwords? Trade Me does not keep customers' bank account numbers, and their credit cards numbers can only be used to pay Trade Me. So even if I got hold of someone else's login, bought gold bullions on their account, I'd still need to pay for the bloody things (with my own money) before I get my hands on them."
Security experts have said cybercriminals sometimes steal usernames and passwords from one site, hoping they serve as the same login for a banking site.