Shop App Exploited for Callback Phishing Attacks via Fake Receipts

Threat actors are abusing the Shop order-tracking app from Shopify by inserting fake purchase receipts into users' order histories. This tactic aims to trick users into providing sensitive information or installing remote access software. The app, popular in North America with 50 million downloads, is being exploited by scammers impersonating well-known brands like Norton and PayPal. Users are misled into calling a fraudulent support number listed on these receipts, where scammers attempt to extract personal data. Although the method is effective due to the app's inherent trust, many fake receipts contain poor grammar, which can serve as a warning sign. Researchers from Gen Digital found no evidence that the app or Shopify was compromised. Users are advised to verify any suspicious charges directly with their banks and to reset passwords if they have shared sensitive information. The situation remains under investigation.

Key Points: • Scammers are inserting fake receipts into the Shop app to conduct phishing attacks. • The method is more effective than traditional email phishing due to user trust in the app. • Users are advised to verify charges directly with banks and avoid contacting the provided phone numbers.