Robinhood Markets, Inc. is an American financial services company headquartered in Menlo Park, California, that facilitates commission-free trades of stocks, exchange-traded funds and cryptocurrencies via a mobile app introduced in March 2015.
During our PreCrime internet scout of September 20th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting Robinhood customers.
Cryptocurrency scamming is becoming increasingly popular with over 1 billion USD lost since the beginning of 2021 according to the Federal Trade Commission.
Stealing crypto is incredibly attractive to scammers since there is no bank or centralised authority connected that can flag suspicious transactions. Additionally, once a crypto transfer has taken place it cannot be reversed, meaning that once the money gone you cannot get it back.
The Attack
Target: Robinhood customers and clients or generally people interested in cryptocurrency.
Possible threats:
- Credential harvesting and financial gain
- Cryptocurrency scam
After luring users to the site they will be asked to expose their personal and financial information, and buy/trade cryptocurrency through a chat site which will unknowingly be sent to the threat actor and transferred to their online account.
Technical Breakdown
Threat Indicators
- Malicious domain impersonating Robinhood Markets, Inc.
- The malicious domain is still being prepared. Tracking the site over the last couple of days shows that the threat actor is most likely attempting a crypto scam.
- Newly registered site – September 18 2022
- MX record indicates domain may be part of a phishing campaign
- IP address has a lot of malicious traffic
Detection and Threat Analysis
The malicious domain, robihood-support.info has been targeting Robinhood Markets Inc., an American financial services company that facilitates commission-free trades of stocks, exchange-traded funds and cryptocurrencies via a mobile app introduced in March 2015. As of March 2022, Robinhood had 22.8 million funded accounts and 15.9 million monthly active users, and rolled out a cryptocurrency wallet to more than 2 million users in April 2022. The malicious domain was created September 18 2022 and detected by bfore.ai September 20 2022.
The malicious domain shows a replica of the original website.
- September 21st: The malicious website seems to be attempting to more closely relplicate the original website, however when visiting the malicious site it remains ‘unfinished’.
- September 22nd: The malicious site updated the contents on the page to include content more focused on Cryptocurrency, with “Buy Crypto from Robinhood“ now visible on the first page and more information about cryptocurrency on the rest of the site. This indicates that the threat actor is attempting to steal user’s personal information and crypto wallets by promising to grow your money, but only if you buy cryptocurrency and transfer it into their online account. Most likely if you create an account, next time you login you won’t be able to withdraw your money. Additionally, when clicking on any links on the main page, they redirect back to the main page, indicating that the site is still in development phase.
- September 23rd: The site is further developing, while the site looks the same as yesterday, the links on the page now direct to different sites, however those sites remain unfinished. For example, when clicking on Invest, the webpage will show nothing but the title of the page, as seen in the screenshot below.
Additionally, clicking on ‘Get Started’ on the main page now directs the user to the following site:
Tawk.to is a live chat software designed to help businesses communicate with clients and website visitors to deliver customer support. The above tawk site is currently blank, but this is most likely where the threat actor intends to lure unknowing customers to invest or buy crypto for the threat actors personal gain.
- The domain has registered MX records give the threat actors the ability to accept email messages on behalf of the domain names. Additionally, it indicates that the threat actors may be setting up the domain to be part of a phishing campaign that leads to the malicious domains.
- The IP address has malicious traffic and is communicating with .EXE, .RAR and .APK malicious files with some last seen September 15 2022.
WhoIs Record
IP address
MX Record
How Bfore.Ai is protecting our customers
At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.
With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.
Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !
Bfore.Ai’s recommendations
Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :
- Pay close attention to the URL
- Check connection security indicators (the lock)
- Read emails carefully
- Look for trust seals
Appendix
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.