- Attackers exploited a flaw in Robinhood account creation emails to inject phishing content
- Fake [email protected] warnings redirected victims to credential theft landing pages
- The vulnerability has been fixed and no customer accounts or funds were compromised.
Experts have warned that cybercriminals are abusing Robinhood to successfully send phishing emails to victims’ inboxes in an attempt to steal login credentials.
Robinhood is a popular e-commerce platform, best known for allowing users to buy and sell cryptocurrencies, ETFs, and futures, but some of its users recently started receiving emails warning them about unusual login activity.
This is standard practice, since when someone from a different IP address on the other side of the world suddenly logs into an account, the service sends the owner a warning email; However, these messages were false.
Article continues below.
Exploit a flaw
The emails originated from Robinhood’s legitimate email account, [email protected], and as such passed SPF and DKIM email security checks, but redirected recipients to a malicious landing page designed to capture their login credentials to the platform.
Apparently, Robinhood’s account creation process was flawed. When a user creates a new account, the platform sends a confirmation email with details such as registration time, IP address, device information, and approximate location. The flaw allowed criminals to modify the device’s metadata field and include embedded HTML, which Robinhood did not sanitize.
That HTML, which contained the actual content of the phishing email, was injected into the Device: field of the account creation email, making the email look like a warning message.
The last step is to use an email list to distribute the emails to victims. beepcomputer believes the emails were likely obtained in previous breaches, possibly from the November 2021 Robinhood breach.
“On Sunday evening, some customers received a spoofed email from [email protected] with the subject ‘Your recent Robinhood login,'” the company warned on
The vulnerability has since been fixed and the landing page used to capture emails is now offline.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
