- Attackers exploited a flaw in Robinhood’s account creation emails to inject phishing content
- Fake alerts from [email protected] redirected victims to credential-stealing landing pages
- The vulnerability has been fixed and no customer accounts or funds were compromised
Cybercriminals are misusing Robinhood to successfully land phishing emails in victims’ inboxes in an attempt to steal login credentials, experts have warned.
Robinhood is a popular electronic trading platform, best known for allowing users to buy and sell crypto, ETFs and Futures, but some of its users have recently started getting emails warning them of unusual login activity.
This is standard practice, since when someone from another IP address half the world away suddenly logs into an account, the service sends the owner a warning email – however, these messages were fake.
The article continues below
Exploits a bug
The emails originated from Robinhood’s legitimate email account [email protected], and as such passed SPF and DKIM email security checks – but redirected recipients to a malicious landing page designed to capture their login credentials for the platform.
Apparently Robinhood’s account creation process was flawed. When a user creates a new account, the platform sends a confirmation email with details such as registration time, IP address, device information and approximate location. The flaw allowed the crooks to modify the device’s metadata field and include embedded HTML that Robinhood didn’t clean.
The HTML containing the actual phishing email content was injected into the Entity: field of the account creation email, making the email appear as a warning message.
The final step is to use an email list to distribute emails to victims. Bleeping Computer believes the emails were most likely obtained in previous breaches, possibly from the November 2021 Robinhood breach.
“On Sunday evening, some customers received a spoofed email from [email protected] with the subject line ‘Your latest login to Robinhood.’,” the company warned on X. “This phishing attempt was made possible by an abuse of the account creation process. It was not a breach of our systems or customer accounts, and personal information and money were not affected.”
The vulnerability has since been patched and the landing page used to capture the emails is now offline.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
