Recon Safari #4: Domains Riding the Robinhood Wave
Reading time: 8 minutesDuring the past couple of weeks, the popular free financial trading app Robinhood made headlines for halting purchases of certain stocks
This has resulted in a lot of bad publicity for the company. And because threat actors enjoy exploiting trending news topics to their advantage, we decided to look at newly registered Robinhood domains to see how they're being used.
We'll use the following tools:
These will allow us to investigate the WHOIS, DNS and other data points to spot any activity, malicious or otherwise.
Gathering/filtering the data
We used the SecurityTrails Feeds™ to fetch all newly registered domains for the period of January 22, 2021 – January 31, 2021. The spike in Robinhood-related news took place during this time, so we'll be focusing on attackers trying to exploit the headlines with new domains.
The limits of this investigation are:
- Old domains used by attackers won't be covered
- Domains using non-Latin characters or not having 'robinhood' in the domain name (in some form) are excluded
We filtered the available data and obtained a list of 251 domains, including:
robinhoodmerch.com
deleterobinhood.org
classactionlawsuitrobinhood.com
robinhoodboycott.com
iporobinhood.site
Investigating the domains
We can categorize the domains into the following broad categories:
- anti-robinhood
- class action / legal / lawyers
- competitor promotion
- e-commerce/merch sellers
- IPO
- other
Apart from these categories, most of the domains we found appeared to be squatting-like domains with the registrar name and ads found on the landing pages. Here's an example:
1. Squatting
We took a sample of squatting domains registered at different registrars to see if we could find any interesting information.
Unfortunately the domains at the bulk of registrars are protected with WHOIS privacy and because they are parked domains, we can't infer anything from their DNS either.
2. Class-action
The class-action domains get more interesting. They point to legal firms, petitions and more.
justice4robinhood[.]com links to a website that explains to visitors that a law firm called "McDonald Worley'' filed a lawsuit against Robinhood and other providers like TD Ameritrade and Charles Schwab. The WHOIS is once again protected (as seems to be the case for most of the domains registered during this time) but the hosting IP of the site is very useful: 184.168.131.241
Contrary to our earlier theory that we may not uncover older Robinhood domains, looking up this GoDaddy IP and the domains being used by it helped us find a number of suspicious domains like:
robinhoodsignup.com
therobinhoodapp.com
The websites for these apps are the same and look like:
These look like possible phishing domains and we found a number of these domains among the 300+ hosted on GoDaddy. We also found websites that look like this:
Domains running this type of site include:
robinhoodprofits.com
robinhoodincome.com
Another domain, robinhoodappclassaction[.]com, appears to be running on BlueHost (exposed via subdomains) but its site IP is behind CloudFlare.
Somebody even went as far as to register robinhoodclassact[.]com which redirects to a SubReddit.
Another domain getting in on the class-action is robinhood—classaction[.]com and the 2 law firms shown on the website are:
- Richard C. Dalton, LLC
- Kiesel Law, LLP
The Google DNS record for the above website is at: 216.239.38.21
What we uncovered here is yet another domain with a website that looks like this:
If there is a connection between the domains running these scam-like sites, they've covered their tracks well by using different registrars and hosts.
The domain robinhoodclassaction[.]attorney exposes us to one of the (presumably) many law firms vying to sue Robinhood. Our data reveals that the law firm behind this domain is Ghosheh Law Firm, LLC. Based on associated domains like:
thepersonalinjurylawyeratlanta.com
caraccidentattorney.lawyer
atlantainjurylawyer.attorney
This law firm appears to focus mostly on personal and auto injuries. They even managed to register a .info domain to protect the .attorney one above:
robinhoodclassaction.info
(They also squatted the .net, .online and .lawyer)
One of their other domains appears to be using incorrect WHOIS data. We never knew Goa (a city in India) was in the United States and even verified to make sure!
Based on the above scenario of personal injury lawyers registering class-action domains against Robinhood, the domain robinhoodclassaction2021[.]com has hidden WHOIS but is hosted on the same IP address as personal injury law firm: ngklawfirm.com
This appears to be the only law firm hosted on this IP. While we cannot say with certainty that NGK owns the domain mentioned in the previous paragraph, it is theoretically possible based on precedent. The website is vague as to who is behind the class-action as well.
Via the GoDaddy IP hosting another class-action domain, we also found a domain called robinhoodrobbery[.]com. Unlike many of the other domains, this one has been in existence since April 28, 2020.
Unlike most of these other domains, robinhoodlosses[.]com is at least transparent in that it is backed by the law firm Stein & Stein, P.A.
robinhoodclassactiongme[.]com left us quite a few breadcrumbs. The most important was their current hosting IP, which hosts only 5 domains:
We also found two more law firms via two more domains:
robinhoodmarketsclassaction.com – "The law office of Thomas L. Nummey"
therobinhoodclassaction.com – "De Silva Law Offices"
3. Competitor promotion
The domain dumprobinhood[.]com promotes the leaving of Robinhood (along with giving one-star reviews) and also suggests opting for competitors Fidelity and Webull. We checked to see if they had affiliate links and found none. The IP hosting the domain also hosts robinhoodalternatives[.]com, suggesting that it might theoretically be the same owner of both (although the latter domain is currently blank).
Effrobinhood[.]com also promotes alternatives without affiliate links. While the WHOIS is hidden (like the bulk of domains), the site is open source and points to https://github.com/jaredpiedt as the main person behind it.
In the most blatant attempt to cash in on the anger, we found what we realistically were expecting to find with leaverobinhood[.]com, an affiliate redirect to Webull with the invite code inviteCode=hrF1gXGN7yn4
In robinhood-alternatives[.]com we found the most obvious case yet for scammers. The IP hosting the site: 207.244.100.226 points to 390 or so scam domains like:
A further 2,200+ scam domains are found on the IP used for other subdomains on the site.
On the site itself, all Robinhood alternatives are linked to stock-trading-platform[.]info and not their actual websites. The IP hosting the site, 199.59.242.153, hosts over 2 million domains, including many Robinhood-related ones that we picked up during our initial scan:
robinhood.tw
robinhood.cloud
We checked this IP for any abuse reports on the IP reporting site Abuse IPDB:
https://www.abuseipdb.com/check/199.59.242.153
The IP used by Bodis LLC appears to have only negative reviews, for various malicious activities.
robinhoodcompetitors[.]com gives us a 403 when attempting to analyse the site. The IP hosting the site strangely had subdomains like robinhoodcompetitors.oilthings.com.
Coincidence? We suspect it might have been a misconfiguration for the robinhoodcompetitors domain and that the domain possibly belongs to a "Christopher Painter" (who owns oilthings[.]com).
4. Merch sellers
By far the strangest thing we came across was the many merchandise sellers using Robinhood domains. These include:
antirobinhoodclub.com
fuck-robinhood.com(Shopify)
isurvivedrobinhood.com(Shopify)
We looked up the Shopify IPs hosting the latter stores and found a few more:
robinhood-co.com
sellrobinhood.com
fakrobinhood.com
The question on how legal this is will be left to the lawyers after they're done with their class-action lawsuits.
5. IPO
The most bizarre and/or interesting of the domains happens to be the IPO ones. Four of the websites look like so:
A major breadcrumb was left for us on ipo-robinhood.website:
The DNS IP revealed many similar domains:
It is possible that many of these domains are connected, as many of the domains have a "hood" and then "hoodd" version registered on different TLDs.
6. Other
Some of the other interesting domains we found were:
- robinhoodmemes[.]com – which appears to be some type of shop, possibly another merchandise shop for memes.
- robinhoodowesmemoney[.]com – this site appears to be asking people to donate money to them so that they can invest in stocks.
- robinhood-trade[.]com – an actual phishing/scam website, see below for the site screenshot and the (fake) WHOIS data.
- thxrobinhood.com – a site where you can purchase a note to send to Robinhood for $2.
- investigaterobinhood.com – a petition site asking you for your name, email and ZIP code with no indication of who they are and what they might do with your data.
Conclusion
The task of identifying possible scams and fraud has been made a bit tougher with the advent of WHOIS privacy protection. It's cheap enough (and sometimes even free) to help threat actors hide their tracks a bit better. And while we expect criminals to use fake data anyway, our past investigations into fake IRGC political domains shows that fake data is more workable than complete WHOIS protection.
Even with the WHOIS protection limits, our powerful intelligence tool SurfaceBrowser™ enabled us to follow some of the trails left behind with its comprehensive domain, hosting, and DNS data.