Anatomy of a Marketplace Phishing Scam: The Scamsite Intermediary Method
This image captures a live instance of a highly convincing phishing campaign targeting users of Tise (tise.com), a popular Norwegian and Nordic second-hand marketplace. The layout mimics an official security notification, utilizing precise brand elements to manipulate the victim under a manufactured state of urgency.
The Vector of Attack
The scam typically originates directly within the official marketplace chat infrastructure or via a smishing (SMS phishing) message. A fraudulent buyer expresses interest in an item listed by the victim, claims to have made a payment, and sends a short link to “confirm the sale” or “receive the funds.”
Once clicked, the link routes the victim through a shortener or intermediate proxy to mask the toxic domain from automated defensive scanners, landing them on this deceptive interface.
The Deceptive Interface Analysis
The attackers built an accurate visual clone of the platform to exploit user familiarity and neutralize suspicion:
- Brand Impersonation (The Identity Theft): The page perfectly replicates the official typography, logo formatting, search bar layout, and corporate color palette of Tise. It uses flawless Norwegian text to maximize credibility among local targets.
- Artificial Urgency (The 24-Hour Lockdown): The heading reads: “Hei, din Tise-konto er midlertidig begrenset” (Hi, your Tise account is temporarily restricted). The copy states that the seller account has been locked and demands the user confirm their identity and bank details within 24 hours (“innen 24 timer”). This psychological pressure forces immediate action, hindering the victim from double-checking the technical architecture.
- The Payment Gateway Trap: The call-to-action button “Verifiser nå” (Verify now) does not lead to an identity verification portal. It acts as a gateway to a credential and credit card harvesting script. Clicking it opens a form designed to capture complete credit card numbers, expiration dates, CVV codes, and BankID codes, allowing the perpetrators to initiate unauthorized wire transfers immediately.
Key Red Flags for Fraud Detection
- Unaffiliated Domain Structure: The address bar reveals the domain ordernzt.net, which has absolutely no legal or infrastructure relation to the official platform (tise.no or tise.com). Attackers buy cheap, generic domains to host transient infrastructure.
- Reverse Verification Logic: Legitimate marketplaces never demand a seller enter full credit card and banking details to receive funds for a sold item. Payments are handled natively through pre-linked bank accounts (IBAN/BIC) without requiring secondary authentication.
- Mismatched Technical Indicators: While the page title in the browser tab attempts to mimic authenticity by displaying “Tise | TISE.NO”, the actual underlying URL and the lack of official security certificates tied to the actual company prove the site is an entirely fraudulent entity.