Callback phishing attacks abuse Shop order-tracking app
▼ Summary
– Threat actors are inserting fake purchase receipts into the Shopify Shop app to trick users into providing sensitive data or installing remote access software.
– The scammers impersonate brands like Norton, McAfee, Apple, and PayPal, listing a phone number that connects to a fraudster posing as a support agent.
– Using social engineering, the scammer attempts to steal account credentials, payment card details, and OTPs, or trick victims into installing remote access software.
– This callback phishing method is more effective than email because users inherently trust the legitimate Shop app.
– Shopify has implemented new controls to reduce the fraudulent activity and advises users to avoid calling numbers in suspicious notifications and to verify charges with their bank.
Cybercriminals have found a new way to exploit trust in a popular shopping app. They are now using Shop, the order-tracking platform from Shopify, to plant fake purchase receipts directly into users’ order histories. The goal is to lure victims into handing over sensitive data or installing remote access software.
Shop acts as a digital shopping assistant, giving users a single hub to monitor deliveries from various online stores, view receipts, and track shipping updates. It also enables purchases from Shopify-powered merchants. The app enjoys strong popularity in North America, where its support and buying features are most developed. It has been downloaded over 50 million times on Google Play and holds 7 million ratings on Apple’s App Store.
Researchers at Gen Digital report that scammers are inserting counterfeit orders that blend in with real purchases. These fake receipts impersonate well-known brands, including Norton, McAfee, Apple, and PayPal. Each bogus receipt includes a phone number for disputing the charge. When a user calls, they reach a scammer posing as a support agent.
Using social engineering, the fraudster attempts to extract account credentials, payment card numbers, and one-time authentication codes (OTPs). In more aggressive cases, victims are persuaded to install software that gives the attacker remote control of their device.
Gen Digital researchers point out that this method is more effective than traditional callback phishing, which relies on email. Because Shop is a legitimate app that users inherently trust, a fake order appearing there is far more likely to trigger a response.
Still, many of these false receipts contain poor grammar, a clear red flag. However, researchers note that users may overlook such mistakes when confronted with an invoice for a large purchase.
How these fraudulent invoices are being inserted into the Shop app remains unclear. The app can populate orders from several sources, including email parsing, account association, and order workflows. Gen Digital could not confirm which specific channel is being exploited. They also found no evidence that Shop, Shopify, or any of the impersonated companies were compromised.
BleepingComputer contacted Shopify, and a spokesperson confirmed that the company has implemented new controls to combat the abuse. “We identified bad actors misusing our platform to generate fake order notifications and rolled out new controls that have significantly reduced this activity and improved our ability to detect it going forward,” the spokesperson said.
Shopify advises users who receive suspicious notifications to “avoid calling any phone numbers in it and report the store directly in the Shop app.”
Until the situation is fully resolved, users who see unfamiliar orders in their Shop app should not call the listed phone number. Instead, they should verify any alleged charges directly with their bank. Anyone who has already contacted the scammers and shared sensitive information should immediately reset account passwords and contact their card issuer to cancel the card.
(Source: BleepingComputer)
