Phishing Attack Targeting Robinhood Users
David Schwartz, the former Chief Technology Officer of Ripple, has raised alarms concerning a concentrated phishing attack that is targeting users of Robinhood. This malicious effort emerges just before the company’s upcoming earnings report, utilizing emails that convincingly mimic communications from Robinhood itself.
Deceptive Emails Bypass Security Measures
Schwartz emphasized that these deceptive emails successfully pass various authentication measures including SPF, DKIM, and DMARC, making them seem credible to recipients.
“CAUTION: Any emails you receive that look like they come from Robinhood (even if they’re from their email infrastructure) are phishing scams,”
Schwartz warned in a recent X post.
The emails in question reportedly contain login alerts that disclose the time of the login attempt, the device used, and a case ID, which is accompanied by a call-to-action prompting users to “Review Activity Now.” Despite the official branding and format, these messages contain buttons that trigger a phishing process aimed at harvesting user login information.
Advanced Phishing Techniques
Schwartz speculates that the emails might have been surreptitiously introduced into Robinhood’s email framework, describing the tactic as particularly sophisticated and deceptive. By passing standard security checks, these messages could easily mislead users into trusting them.
Furthermore, insights from cybersecurity expert Abdel Sabbah elaborate on a potential method used by attackers, which involves manipulating Gmail’s “dot trick.” This technique allows hackers to generate multiple variations of a Robinhood email address, creating an account linked to a device name that harbors malicious HTML code. According to Sabbah, Robinhood’s email system fails to sanitize this field properly, allowing the harmful HTML to be executed in what appear to be legitimate emails sent from support@robinhood.com. This leads to authenticated messages that, despite their outward legitimacy, contain harmful payloads.
Ongoing Threats in the Cryptocurrency Domain
Phishing schemes have been an ongoing threat within the cryptocurrency domain, with numerous reports of similar attacks targeting wallet services in recent days. For instance, a scam affecting MetaMask users involved phishing emails masquerading as two-factor authentication prompts. This scam, highlighted by the blockchain security firm SlowMist, utilized MetaMask’s branding paired with a countdown timer designed to pressure users into acting swiftly.
Victims who clicked on the “Enable 2FA Now” link were directed to a fraudulent site requesting their seed phrases, thereby granting attackers full access to their crypto assets. SlowMist also noted that such phishing attempts often rely on subtle discrepancies, like minor misspellings in domain names or peculiar sender addresses, to evade early detection.
