Investing and trading platform Robinhood has confirmed that cybercriminals exploited a vulnerability in its account creation process to send out legitimate-looking phishing emails.
Many Robinhood users reported receiving suspicious emails over the weekend and an analysis revealed that they were sent out as part of a phishing campaign.
According to the company, the emails came from ‘noreply@robinhood.com’ and had the subject line ‘Your recent login to Robinhood’.
“This phishing attempt was made possible by an abuse of the account creation flow,” Robinhood explained. “It was not a breach of our systems or customer accounts, and personal information and funds were not impacted.”
Experts who analyzed the phishing emails said the attackers created new Robinhood accounts using modified versions of existing Gmail addresses via the so-called ‘dot trick’.
Specifically, they leveraged the fact that Gmail ignores periods inserted into or removed from a username, whereas Robinhood treats each variation as distinct, allowing the attackers to create a new account that Gmail would point to an existing account.
During signup, the attackers injected malicious HTML code containing phishing links into device name fields.
The hackers’ actions triggered legitimate ‘recent login’ notification emails from Robinhood, which rendered the unsanitized HTML and embedded clickable phishing links.
The emails passed all authentication checks since they originated from Robinhood’s own systems, making them highly convincing.
Robinhood suffered a data breach back in 2021 and the attackers stole millions of names and email addresses. This phishing attack may have leveraged email addresses stolen at the time, or the attackers may have used externally sourced or guessed Gmail addresses.
Related: Security Firm Executive Targeted in Sophisticated Phishing Attack
Related: Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks
Related: Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials
