phishing attempt: hey bank, don't help, OK?

[da]

I received a phishing email at work from my bank (TD) which used a url-redirector at THE REAL BANK'S WEBSITE to get to the fake site.

That is: www.tdcanadatrust·com/servlet/infosite.servlet.OutBoundServlet?RequestedPage=phishing·url/urgent_verifying/update.inf

Thunderbird didn't think it was phishing. The destination URL originally went to a copy of the bank's site; two hours later, it was deactivated by the host, and Firefox warns it is a phishing attempt.

The bank hasn't deactivated the redirector. I'm curious how long it will stay active. They should be pretty embarrassed; this isn't rocket-science, and there's no reason you should be able to pull crap like this.

Comments

[sachmet.livejournal.com]

It's hardly even a new attack vector (http://catless.ncl.ac.uk/Risks/23.73.html#subj7).

Idiots.

[da-lj.livejournal.com]

Damn right it's not new. :P

[chezmax]

Did you write them, or call them?

[da-lj.livejournal.com]

Wrote them a little sumthin'.

[chezmax]

The redirector appears to be gone now...

[da-lj.livejournal.com]

http://www.tdcanadatrust.com/servlet/com.td.infosite.servlet.OutBoundServlet?RequestedPage=http://finanz-checker.com/0009_Online/Form_Security/T_D_Secure/urgent_verifying/update.inf/

Still works. :/

[chezmax]

I've sent an email to them regarding this.

[da-lj.livejournal.com]

Ha ha ha. They sent me a generic "it sounds like you're describing a phishing email. here's what phishing is. please send us the email and immediately delete it. thanks for telling us. and here's an ad for more financial services." *eye-roll*

[chezmax]

Hey, I got the same one!

[chezmax]

I replied to it, a little more harshly worded.

[da-lj.livejournal.com]

You sent the (below) boilerplate explaining what "phishing" means. I know
what phishing means, and that is why I referred to it in my original note.

The point I would like to make is that *your* web-servers have a
security hole which *facilitates* fraudulent phishing attempts, by
giving out the ability to create a malicious URL. Anyone can
construct a fraudulent scheme and hide its URL behind your domain.
There is no good reason for this, other than lazy
system design and programming. Your servlet redirections should only be
allowed from internal referers, at bare minimum.

My email program (Thunderbird) and my web-browser (Firefox) both have
anti-phishing tools. They are hampered by the security hole that TD
has introduced.

If you would like, I can continue to describe how this is a security
hole, but I would much prefer if you could tell me that your security
people were working on it instead, as I have already entrusted you
with the responsibility of protecting my investments.

Thank you for your kind attention,
/s



Sent to the addresses they provided, and the CEO of TD, Edmund.Clark@td.com

[chezmax]

Yes, I *know* this is Phishing, but by providing this redirector servlet, you're making it EASIER for them to make legitimate looking emails, and this really should be escalated to the web development teams.

By using a servlet on TD Canada Trust's web site to redirect, it looks like it's really referring to the TD web site, removing a layer of security (for example, Thunderbird won't flag it as Phishing, since the URL looks legitimate.)

I would like some assurance that this will be looked into, as this is not just a problem with people Phishing, this is a problem with TD's website *enabling* phishers.

Please respond with a non-generic response that this serious security issue will be looked into. I know what phishing is, and I know that this issue will only make it easier for people to fall victim for this. You shouldn't enable them.

Thank you,
[name]

I did get a non-generic response!

Thank you for writing. As Sharla is currently out of the office, I'm happy to let you know that I've offered to respond to her incoming email.

I will forward your email to our Customer Care department, and they will ensure that your concerns are directed to a representative from the appropriate business area for further review and response. Please reply with your full name, address and telephone number as they appear on our systems so that I may forward your concern.

Thank you for your help. I await your response.

Best regards,

Jeff
Internet Correspondence Representative

Well, that's a little better...

[da-lj.livejournal.com]

"Hello [me],

Thank you for your reply. As Sharla is currently out of the office, I will
respond on her behalf.

Thank you for taking the time to provide us with your feedback regarding
the TD Canada Trust web servers and the servlets allowing indiscriminate
redirections.

I will certainly forward your concern about the servlets to our EasyWeb
Support department for review. Please accept my apology for your concern
not being properly addressed.

Customer Service is the number one priority at TD Canada Trust. We are
always happy to receive feedback such as yours in order to provide a
comfortable banking experience for all of our customers.

I am pleased to advise you that I will forward a copy of your feedback to
the appropriate business area for consideration. Once again, thank you for
taking the time to contact us. It is only through client feedback such as
your own that we can improve the service we provide.

Warm regards,

Chris Reaburn
Internet Correspondence Representative"

[da-lj.livejournal.com]

Awesome: http://www.tdcanadatrust.com/servlet/com.td.infosite.servlet.OutBoundServlet?RequestedPage= is an infinite loop.

[chezmax]

That's awesome.

[secretsoflife.livejournal.com]

seems to be fixed now.

[secretsoflife.livejournal.com]

haha, so wrong. it's totally still working :s

[mynatt.livejournal.com]

god, that's horrible! what idiots.

[da-lj.livejournal.com]

Latest:


Thank you for contacting TD Canada Trust regarding the recent EasyWeb
security concern. As the person responsible to resolve this matter, I
apologize for the delayed response, however, I want to assure you we take
this matter extremely seriously. We have completed our investigation and
we have dedicated the appropriate resources to resolve it.

At TD Canada Trust, we take security very seriously and work vigilantly to
protect our systems and customer information. The EasyWeb Security
Guarantee is there to assist our customers in the unlikely event account
losses occur as a result of unauthorized online banking activity.

Daniel, thank you again for bringing this matter to our attention. We
value your feedback and appreciate the time you have taken to contact us.
If you have any further questions or concerns, please contact me directly.


Peter Prescott
Manager, Channel Operations
e.Bank, Internet Banking
TD Canada Trust

[secretsoflife.livejournal.com]

it's still broken :(

!Hello!

[(Anonymous)]

Good
site.