Attackers exploited a flaw in Robinhood's account creation process to inject phishing messages into legitimate account confirmation emails, tricking customers into believing suspicious activity occurred on their accounts. The emails originated from the official Robinhood address noreply@robinhood.com and passed standard email security checks, making them highly convincing. Threat actors modified device metadata fields during new account registration to include embedded HTML that Robinhood failed to sanitize, which then rendered fake "Unrecognized Device Linked to Your Account" warnings within the Device field of legitimate emails.
The phishing messages contained buttons redirecting to fraudulent sites designed to steal Robinhood credentials, with one such domain being robinhood[.]casevaultreview[.]com. Attackers used email address lists likely sourced from Robinhood's 2021 data breach affecting 7 million customers, combined with Gmail's dot aliasing technique to register account variations while delivering messages to real recipients. Robinhood confirmed the incident was an abuse of the account creation flow rather than a breach of its systems, stating customer funds and personal information were not impacted.
The company has since fixed the vulnerability by removing the vulnerable Device field from account creation emails. Affected customers are advised to delete the messages and avoid clicking any embedded links. Robinhood posted confirmation of the incident on X, noting that the phishing attempt occurred on Sunday evening. No customer accounts or funds were compromised during the attack.
Read more...