On-line buying and selling platform Robinhood’s account creation course of was exploited by menace actors to inject phishing messages into reputable emails, tricking customers into believing their accounts had suspicious exercise.
Beginning final night time, Robinhood clients started receiving “Your latest login to Robinhood” emails stating that anĀ “Unrecognized Machine Linked to Your Account” was detected, containing uncommon IP addresses and partial cellphone numbers.
“We detected a login try from a tool that’s not acknowledged,” reads the phishing e mail.Ā “If this was not you, please evaluation your account exercise instantly to safe your account.”
Included within the e mail was a button titled “Assessment Exercise Now”, which led to a phishing website at robinhood[.]casevaultreview[.]com, which is now down.Ā
Nonetheless, screenshots on Reddit point out that the positioning was probably used to attempt to steal Robinhood credentials.
What made the emails convincing is that they got here from the reputable Robinhood e mail deal with noreply@robinhood.com and handed SPF and DKIM e mail safety verifys.
Exploiting Robinhood account creation onboarding flaw
Attackers abused Robinhood to generate phishing emails by exploiting a flaw within the firm’s onboarding course of that allowed them to inject arbitrary HTML into its account affirmation emails.
BleepingComputer confirmed that when a brand new Robinhood account is registered, the corporate robotically sends a “Your latest login to Robinhood”Ā e mail to the related deal with, containing the registration time, IP deal with, system info, and approximate location.
To inject the phishing message, menace actors modified their system metadata fields to incorporate embedded HTML, which Robinhood didn’t correctly sanitize.
This HTML was then injected into the Machine: subject of the account creation e mail, inflicting it to render as a faux “Unrecognized Machine Linked to Your Account” message.
To focus on Robinhood clients, attackers probably used lists of identified buyer e mail addresses from earlier information breaches. In November 2021, Robinhood suffered a knowledge breach impacting 7 million clients, with the info later provided on the market on a hacking discussion board.
The attackers additionally used Gmail’s dot aliasing conduct, the place including intervals to an deal with doesn’t change its vacation spot, permitting them to register accounts utilizing variations of actual e mail addresses whereas nonetheless delivering the messages to the meant recipients.
Because of this, recipients acquired what seemed to be an ordinary login alert, however with an embedded phishing part warning of “unrecognized exercise” and urging them to evaluation their account.
Robinhood confirmed the incident in a press release posted to X.
“On Sunday night, some clients acquired a falsified e mail from noreply@robinhood.com with the topic line ‘Your latest login to Robinhood.’,” posted RobinHood.
“This phishing try was made attainable by an abuse of the account creation stream. It was not a breach of our techniques or buyer accounts, and private info and funds weren’t impacted.”
BleepingComputer has confirmed that Robinhood has mounted this flaw by eradicating the Machine: subject that was beforehandĀ abused from their account creation emails.
Robinhood advises customers who acquired the message to delete it and keep away from clicking any hyperlinks.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
