phishing attempt: hey bank, don't help, OK?

[da]

I received a phishing email at work from my bank (TD) which used a url-redirector at THE REAL BANK'S WEBSITE to get to the fake site.

That is: www.tdcanadatrust·com/servlet/infosite.servlet.OutBoundServlet?RequestedPage=phishing·url/urgent_verifying/update.inf

Thunderbird didn't think it was phishing. The destination URL originally went to a copy of the bank's site; two hours later, it was deactivated by the host, and Firefox warns it is a phishing attempt.

The bank hasn't deactivated the redirector. I'm curious how long it will stay active. They should be pretty embarrassed; this isn't rocket-science, and there's no reason you should be able to pull crap like this.

Comments

[da-lj.livejournal.com]

"Hello [me],

Thank you for your reply. As Sharla is currently out of the office, I will
respond on her behalf.

Thank you for taking the time to provide us with your feedback regarding
the TD Canada Trust web servers and the servlets allowing indiscriminate
redirections.

I will certainly forward your concern about the servlets to our EasyWeb
Support department for review. Please accept my apology for your concern
not being properly addressed.

Customer Service is the number one priority at TD Canada Trust. We are
always happy to receive feedback such as yours in order to provide a
comfortable banking experience for all of our customers.

I am pleased to advise you that I will forward a copy of your feedback to
the appropriate business area for consideration. Once again, thank you for
taking the time to contact us. It is only through client feedback such as
your own that we can improve the service we provide.

Warm regards,

Chris Reaburn
Internet Correspondence Representative"