Hackers exploit Robinhood account creation tool to launch worrying phishing scam

News
By published

Robinhood says the vulnerability has since been fixed

Robinhood trading app
(Image credit: Robinhood)
  • Attackers exploited a flaw in Robinhood’s account creation emails to inject phishing content
  • Fake warnings from noreply@robinhood.com redirected victims to credential‑stealing landing pages
  • The vulnerability has been fixed, and no customer accounts or funds were compromised

Cybercriminals are abusing Robinhood to successfully land phishing emails into victim’s inboxes in a bid to steal login credentials, experts have warned.

Robinhood is a popular electronic trading platform, best known for allowing users to buy and sell crypto, ETFs, and Futures, but some of its users recently started getting emails warning them about unusual login activity.

This is standard practice, as when someone from a different IP address half across the world suddenly logs into an account, the service sends the owner a warning email - however these messages were fake.

Article continues below

Exploiting a flaw

The emails did originate from Robinhood’s legitimate email account noreply@robinhood.com, and as such did pass SPF and DKIM email security checks - but they redirected recipients to a malicious landing page designed to capture their login credentials for the platform.

Apparently, Robinhood’s account creation process was flawed. When a user creates a new account, the platform sends a confirmation email with details such as registration time, IP address, device information, and approximate location. The flaw allowed the crooks to modify the device metadata field and include embedded HTML, which Robinhood did not sanitize.

That HTML, which contained the actual phishing email content, was injected into the Device: field of the account creation email, making the email seem as a warning message.

The final step is using an email list to distribute the emails to the victims. BleepingComputer believes the emails were most likely obtained in previous breaches, possibly from the November 2021 Robinhood breach.

"On Sunday evening, some customers received a falsified email from noreply@robinhood.com with the subject line 'Your recent login to Robinhood.'," the company warned on X. "This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted."

The vulnerability has since been addressed, and the landing page used to capture emails is now offline.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.