- Attackers exploited a flaw in Robinhood’s account creation emails to inject phishing content
- Fake warnings from noreply@robinhood.com redirected victims to credential‑stealing landing pages
- The vulnerability has been fixed, and no customer accounts or funds were compromised
Cybercriminals are abusing Robinhood to successfully land phishing emails into victim’s inboxes in a bid to steal login credentials, experts have warned.
Robinhood is a popular electronic trading platform, best known for allowing users to buy and sell crypto, ETFs, and Futures, but some of its users recently started getting emails warning them about unusual login activity.
This is standard practice, as when someone from a different IP address half across the world suddenly logs into an account, the service sends the owner a warning email – however these messages were fake.
Article continues below
Exploiting a flaw
The emails did originate from Robinhood’s legitimate email account noreply@robinhood.com, and as such did pass SPF and DKIM email security checks – but they redirected recipients to a malicious landing page designed to capture their login credentials for the platform.
Apparently, Robinhood’s account creation process was flawed. When a user creates a new account, the platform sends a confirmation email with details such as registration time, IP address, device information, and approximate location. The flaw allowed the crooks to modify the device metadata field and include embedded HTML, which Robinhood did not sanitize.
That HTML, which contained the actual phishing email content, was injected into the Device: field of the account creation email, making the email seem as a warning message.
The final step is using an email list to distribute the emails to the victims. BleepingComputer believes the emails were most likely obtained in previous breaches, possibly from the November 2021 Robinhood breach.
“On Sunday evening, some customers received a falsified email from noreply@robinhood.com with the subject line ‘Your recent login to Robinhood.’,” the company warned on X. “This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted.”
The vulnerability has since been addressed, and the landing page used to capture emails is now offline.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/Uwew2kT96kWHNFmgsGti9f-1436-80.jpg
Source link
