Phishing for better URLs

I was surprised to notice the URL that CIBC is using for their online banking – it seems like great bait for a phishing attack.

Screen Shot 2011 10 01 at 11 59 17 AM

Using a fourth-level domain www.cibconline.cibc.com instead of the simpler for, cibc.com or www.cibc.com makes it really easy for the bad guys to fool people into clicking links that look like this:

Screen Shot 2011 10 01 at 11 57 52 AM

Note that I changed the root domain in the URL from cibconline.cibc.com to cibccom.co – a fairly innocuous domain that is available for registration today, and therefore fair game for a bad guy to start using tomorrow.

It is trivial nowadays to show users friendly URLs, no matter how complicated your backend is. I’d really love to see CIBC use something like this:

Screen Shot 2011 10 01 at 12 01 01 PM

While it won’t completely solve the phishing problem, it will make their banking app a little more friendly and easier for an average user to understand the difference between a fake URL coming from a bad guy and the real one coming from their bank.