- Attackers exploited a flaw in Robinhood account creation emails to inject phishing content
- Fake warnings from [email protected] redirected victims to credential theft landing pages.
- The vulnerability has been fixed and no customer accounts or funds have been compromised
Cybercriminals are abusing Robinhood to successfully send phishing emails to victims’ inboxes in an attempt to steal login credentials, experts have warned.
Robinhood is a popular electronic trading platform best known for allowing users to buy and sell cryptocurrencies, ETFs and futures, but some of its users recently started receiving emails warning them of unusual login activity.
This is a common practice because when someone using a different IP address in half the world suddenly logs into an account, the service sends the owner a warning email – but these messages were fake.
Article continues below
Exploit a loophole
The emails originated from the legitimate Robinhood email account [email protected] and, as such, passed SPF and DKIM email security checks – but they redirected recipients to a malicious landing page designed to capture their platform login credentials.
Apparently, the Robinhood account creation process was broken. When a user creates a new account, the platform sends a confirmation email with details such as registration time, IP address, device information, and approximate location. The flaw allowed scammers to modify the device metadata field and include embedded HTML, which Robinhood did not clean up.
This HTML code, which contained the actual content of the phishing email, was injected into the Device: field of the account creation email, making the email appear as a warning message.
The final step is to use a mailing list to distribute the emails to victims. BeepComputer believes the emails were most likely obtained in previous breaches, possibly in the November 2021 Robinhood breach.
“On Sunday evening, some customers received a spoofed email from [email protected] with the subject line ‘Your recent login to Robinhood,'” the company warned on
The vulnerability has since been fixed and the landing page used to capture emails is now offline.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
