Threat actors exploited a flaw in Robinhood’s account creation emails to inject HTML that rendered convincing “Unrecognized Device” phishing alerts inside legitimate [email protected] messages. The embedded link led to a phishing site (robinhood.casevaultreview.com), attackers used breached email lists and Gmail dot aliasing to target real customers, and Robinhood has removed the vulnerable Device field and advised users to delete the messages. #Robinhood #CaseVaultReview
Keypoints
- Attackers injected arbitrary HTML into the Device field of Robinhood account creation emails.
- The phishing messages were sent from [email protected] and passed SPF and DKIM checks, making them appear legitimate.
- The malicious “Review Activity Now” button led to robinhood.casevaultreview.com, a site used to harvest credentials.
- Attackers likely used previously breached email lists and Gmail dot aliasing to register accounts and deliver the phishing emails.
- Robinhood confirmed the issue, removed the abused Device field from emails, and urged recipients to delete the fraudulent messages.