A new phishing campaign is targeting Robinhood fintech users by sending them fraudulent emails from a real company’s address. The emails managed to bypass Gmail’s security checks, displayed the official “verified” sender mark, which made them hardly distinguishable from legitimate company communications.
This time, criminals have managed to send legitimate-looking emails from the [email protected] address, while also bypassing all the usual security checks and even displaying the official "verified" sender mark in Gmail.
As is usual in phishing campaigns, scammers try to create a sense of urgency, and this time it is about "unrecognized activity" on the account, showing fake details like a suspicious login from various devices and urging users to click the "Review Activity Now" button. Clicking on this link would direct the victim to a fake website designed to steal their sensitive data, such as login credentials. Some even deemed these emails to be "a perfect phishing email."
According to @rockkdev, chief technology officer of Cubby Law, an AI teaching assistant for law school, who was among the first to report the campaign, the criminals used the Gmail "dot trick."
As is known, Gmail treats addresses like [email protected] and [email protected] (with extra dots) as the same inbox. This is how scammers managed to create new Robinhood accounts using these dotted versions of victims' real email addresses. Then, Robinhood's systems treated dotted versions as separate accounts, so its automated emails went to the victim's real Gmail inbox.
Robinhood also admitted that its users are being targeted in this campaign.
"This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted," the company said in a post that still receives complaints from affected people.
Software engineer Vajid Kagdi pushed back, saying that the "not a breach" phrase misses the point, as attackers exploited a legitimate path in the company's system to execute phishing.
"If your own account creation flow can be abused to generate trusted phishing signals, that’s a vulnerability in your system – not just "abuse," he said, while others were complaining that if users can't trust things sent from the company's official email address, how can they trust Robinhood at all?
At the time of writing, there were no reports of losses incurred by this phishing campaign.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked