Robinhood account flaw exploited in phishing email attacks
▼ Summary
– Threat actors exploited a flaw in Robinhood’s account creation process to inject phishing messages into legitimate emails from noreply@robinhood.com.
– The phishing emails passed SPF and DKIM security checks and appeared as standard login alerts, warning of an “Unrecognized Device Linked to Your Account.”
– Attackers injected malicious HTML into the device metadata field during account registration, which Robinhood failed to sanitize, creating fake warnings.
– The phishing site at robinhood[.]casevaultreview[.]com attempted to steal credentials, and attackers used Gmail’s dot aliasing to target known email addresses from a 2021 data breach.
– Robinhood confirmed the incident was an abuse of the account creation flow, not a system breach, and has since fixed the flaw by removing the vulnerable Device field.
Online trading platform Robinhood was targeted in a sophisticated phishing attack that exploited a flaw in its account setup process, allowing attackers to embed malicious messages inside legitimate emails. The scheme tricked users into believing their accounts had been compromised, all while the emails passed critical security checks.
Beginning Sunday evening, Robinhood customers reported receiving emails with the subject line “Your recent login to Robinhood.” These messages claimed that an “Unrecognized Device Linked to Your Account” had been detected, listing unusual IP addresses and partial phone numbers. The email warned: “We detected a login attempt from a device that is not recognized. If this was not you, please review your account activity immediately to secure your account.”
Each email contained a button labeled “Review Activity Now,” which directed users to a phishing site at robinhood[.]casevaultreview[.]com. That site is now offline, but screenshots shared on Reddit suggest it was designed to steal Robinhood login credentials.
What made these emails particularly dangerous was that they came from the authentic Robinhood address noreply@robinhood.com and passed both SPF and DKIM email authentication checks. This gave recipients little reason to doubt their legitimacy.
The attack worked by exploiting a vulnerability in Robinhood’s account creation onboarding flow. When a new account is registered, Robinhood automatically sends a confirmation email containing the registration time, IP address, device information, and approximate location. Attackers discovered they could modify the device metadata fields to include raw HTML, which Robinhood failed to sanitize properly. That HTML was then injected into the “Device:” field of the email, rendering as a fake warning about an unrecognized device.
To target existing Robinhood customers, the attackers likely used email addresses obtained from previous data breaches. Notably, Robinhood suffered a data breach in November 2021 that affected 7 million customers, with the stolen data later appearing for sale on a hacking forum.
The attackers also leveraged Gmail’s dot aliasing feature, where adding periods to an email address does not change its delivery destination. This allowed them to register accounts using variations of real customer addresses while still having the phishing emails land in the intended inboxes.
Robinhood confirmed the incident in a statement posted to X. “On Sunday evening, some customers received a falsified email from noreply@robinhood.com with the subject line ‘Your recent login to Robinhood,'” the company wrote. “This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted.”
BleepingComputer has confirmed that Robinhood has since fixed the flaw by removing the “Device:” field from its account creation emails. The company advises anyone who received the suspicious message to delete it and avoid clicking any links.
(Source: BleepingComputer)
