Indeed, I think this is a modified CSRF attack. Someone can put the login link into an invisible iframe on any website, which can not only destroy someone's access to his or her account but also prompt unsuspecting newbies to deposit to a public account.