phishing attempt: hey bank, don't help, OK?

[da]

I received a phishing email at work from my bank (TD) which used a url-redirector at THE REAL BANK'S WEBSITE to get to the fake site.

That is: www.tdcanadatrust·com/servlet/infosite.servlet.OutBoundServlet?RequestedPage=phishing·url/urgent_verifying/update.inf

Thunderbird didn't think it was phishing. The destination URL originally went to a copy of the bank's site; two hours later, it was deactivated by the host, and Firefox warns it is a phishing attempt.

The bank hasn't deactivated the redirector. I'm curious how long it will stay active. They should be pretty embarrassed; this isn't rocket-science, and there's no reason you should be able to pull crap like this.

Comments

[chezmax]

Yes, I *know* this is Phishing, but by providing this redirector servlet, you're making it EASIER for them to make legitimate looking emails, and this really should be escalated to the web development teams.

By using a servlet on TD Canada Trust's web site to redirect, it looks like it's really referring to the TD web site, removing a layer of security (for example, Thunderbird won't flag it as Phishing, since the URL looks legitimate.)

I would like some assurance that this will be looked into, as this is not just a problem with people Phishing, this is a problem with TD's website *enabling* phishers.

Please respond with a non-generic response that this serious security issue will be looked into. I know what phishing is, and I know that this issue will only make it easier for people to fall victim for this. You shouldn't enable them.

Thank you,
[name]

I did get a non-generic response!

Thank you for writing. As Sharla is currently out of the office, I'm happy to let you know that I've offered to respond to her incoming email.

I will forward your email to our Customer Care department, and they will ensure that your concerns are directed to a representative from the appropriate business area for further review and response. Please reply with your full name, address and telephone number as they appear on our systems so that I may forward your concern.

Thank you for your help. I await your response.

Best regards,

Jeff
Internet Correspondence Representative

Well, that's a little better...

[da-lj.livejournal.com]

"Hello [me],

Thank you for your reply. As Sharla is currently out of the office, I will
respond on her behalf.

Thank you for taking the time to provide us with your feedback regarding
the TD Canada Trust web servers and the servlets allowing indiscriminate
redirections.

I will certainly forward your concern about the servlets to our EasyWeb
Support department for review. Please accept my apology for your concern
not being properly addressed.

Customer Service is the number one priority at TD Canada Trust. We are
always happy to receive feedback such as yours in order to provide a
comfortable banking experience for all of our customers.

I am pleased to advise you that I will forward a copy of your feedback to
the appropriate business area for consideration. Once again, thank you for
taking the time to contact us. It is only through client feedback such as
your own that we can improve the service we provide.

Warm regards,

Chris Reaburn
Internet Correspondence Representative"