Former Ripple chief technical officer David Schwartz warned that a targeted phishing campaign began exploiting Robinhood users through legitimate-looking emails ahead of the company’s earnings report.
summary
- David Schwartz has warned that phishing emails targeting Robinhood users are passing authentication checks and mimicking official alerts.
- Attackers exploited email system vulnerabilities to embed malicious links within legitimate-looking messages sent from Robinhood’s infrastructure.
according to SchwartzThe attack involves emails that appear to originate from Robinhood’s own system, with authentication checks such as SPF, DKIM, and DMARC successfully passing, making the messages appear real to recipients.
“Warning: Any emails you receive that appear to be from Robinhood (and may in fact be from their email system) are phishing attempts,” he wrote in a post on X.
Details shared by Schwartz show that the emails include a login alert that includes the time, device, and state ID, along with a prompt urging users to “review activity now.” The message layout and branding reflect official communications, however the embedded button is said to start a phishing thread designed to obtain the user’s credentials.
Explaining the unusual delivery method, Schwartz said he believed the emails “were somehow inserted into Robinhood’s actual email infrastructure,” and later described the exploit as “extremely deceptive.”
The ability to pass standard authentication tests increases the likelihood that users will trust the connection, he notes.
The exploit is related to tampering with the email system
The insight Schwartz pointed out from Abdul-Sabah shows a potential attack vector involving Gmail’s “dot trick,” which allows multiple variations of the same email address. Sabah said the attackers created a Robinhood account using such variations and customized a device name embedded with malicious HTML code.
The Robinhood system, according to Sabah, does not sanitize this field, allowing the HTML payload to display within official emails sent from (email protected). The result is a fully authenticated message that appears legitimate but contains hidden malicious elements.
Phishing scams continue to target cryptocurrency users
Phishing attacks continue to pose an ongoing risk to cryptocurrency users, with multiple campaigns reported across wallet platforms in recent days.
Ditto I mentioned By crypto.news, MetaMask users were targeted by a phishing campaign that promoted a fake two-factor authentication process, according to blockchain security firm SlowMist. The phishing emails used MetaMask branding and included a countdown timer designed to pressure users into taking immediate action.
Victims who clicked on the “Enable two-factor authentication now” prompt were redirected to a malicious website requesting their seed phrase, giving the attackers full access to the wallet funds, SlowMist said. The company noted that such campaigns often rely on small discrepancies, including misspelled domains and unusual sender addresses, to get past initial scrutiny.
