Online trading platform Robinhood’s account creation process was exploited by malicious actors to insert phishing messages into legitimate emails, tricking users into believing their accounts have suspicious activity.
Starting last night, Robinhood customers started receiving “Your recent login to Robinhood” emails saying “An Unknown Device Connected to Your Account” was detected, containing strange IP addresses and partial phone numbers.
“We detected an attempt to log into an unknown device,” the phishing email read. “If this was not you, please update your account activity immediately to protect your account.”
Included in the email was a button titled “Review Job Now”, which led to the robinhood phishing site[.]casevaultreview[.]com, which is now down.
However, screenshots on Reddit show that the site may have been used to try to steal Robinhood’s credentials.
What makes emails credible is that they come from an official Robinhood email address noreply@robinhood.com and passed SPF and DKIM email security tests.
Using the Robinhood account activation error
Attackers exploited Robinhood to create phishing emails by exploiting a flaw in the company’s onboarding process that allowed them to insert inappropriate HTML into its account verification emails.
BleepingComputer confirmed that when a new Robinhood account is registered, the company automatically sends “Your latest entry on Robinhood” email to the associated address, containing the registration period, Internet domain address, device information, and limited location.
To insert the phishing message, the threat actors modified their device’s metadata fields to include embedded HTML, which Robinhood did not clean properly.
This HTML is then inserted into the Device: account creation email field, causing it to render as a fake “Unknown Device Connected to Your Account” message.
To target Robinhood customers, attackers may have used lists of known customer email addresses from previous data breaches. In November 2021, Robinhood suffered a data breach that affected 7 million customers, and the data was later offered for sale on a hacking forum.
Attackers also use Gmail’s method of dotting, where adding periods to an address doesn’t change its destination, allowing them to register accounts using different real email addresses while still delivering messages to intended recipients.
As a result, recipients received what appeared to be a normal login warning, but with an embedded phishing warning of an “unknown operator” and urging them to update their account.
Robinhood confirmed the incident in a statement sent to X.
“On Sunday evening, some customers received a bogus email from noreply@robinhood.com with the subject line ‘Your latest login to Robinhood.’,” RobinHood wrote.
“This phishing attempt was made possible by the abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and finances were not compromised.”
BleepingComputer has confirmed that Robinhood has fixed the bug by removing the Device: field that was previously abused in account creation emails.
Robinhood advises users who received the message to delete it and avoid clicking on any links.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
