Recently, online trading platform Robinhood fell victim to a sophisticated phishing scam that exploited its account creation process. Threat actors managed to inject phishing messages into legitimate emails, deceiving users into believing that their accounts were compromised.
Reports started surfacing as Robinhood customers received emails with the subject line “Your recent login to Robinhood,” claiming that an “Unrecognized Device Linked to Your Account” had been detected. These emails contained alarming details such as unusual IP addresses and partial phone numbers.
The phishing email stated, “We detected a login attempt from a device that is not recognized. If this was not you, please review your account activity immediately to secure your account.”
The email included a button labeled “Review Activity Now,” which directed users to a phishing site at robinhood[.]casevaultreview[.]com. Although the site is now offline, screenshots indicate that it was designed to steal Robinhood credentials.
What made this scam particularly convincing was that the emails appeared to originate from the legitimate Robinhood email address noreply@robinhood.com and passed SPF and DKIM email security checks.
The attackers exploited a flaw in Robinhood’s account creation onboarding process to generate phishing emails. They were able to inject arbitrary HTML into the company’s account confirmation emails, thus tricking users.
When a new Robinhood account is registered, the company automatically sends a “Your recent login to Robinhood” email to the associated address, detailing registration time, IP address, device information, and approximate location.
By modifying their device metadata fields to include embedded HTML, threat actors were able to inject the phishing message into the account creation email. Robinhood failed to properly sanitize this HTML, leading to the display of a fake “Unrecognized Device Linked to Your Account” message.
Attackers likely obtained customer email addresses from previous data breaches, such as the one that impacted 7 million Robinhood customers in November 2021. They also exploited Gmail’s dot aliasing behavior to register accounts using variations of real email addresses.
Robinhood has since addressed this flaw by removing the abused “Device:” field from their account creation emails. They advise users who received the phishing message to delete it and refrain from clicking any links.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), discover how autonomous, context-rich validation identifies exploitable vulnerabilities, verifies control effectiveness, and closes the remediation loop.
Claim Your Spot
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
