Shopify's Shop App Targeted by Callback Phishing Scams

Threat actors are exploiting Shopify's Shop app to insert fake purchase receipts into users' order histories, tricking them into revealing sensitive information or installing malicious software. The app, popular in North America with 50 million downloads, has seen scammers impersonating reputable brands like Norton and PayPal. Victims are misled into calling a fraudulent support number listed on these receipts, where scammers attempt to extract account credentials and payment details. Researchers from Gen Digital have identified this shift from traditional email phishing to in-app attacks as particularly effective due to the inherent trust users place in the app. Although the exact method of how these fake receipts are inserted remains unclear, no evidence suggests that Shopify or the impersonated companies have been compromised. Users are advised to verify any suspicious receipts directly with their banks and to reset passwords if they have already engaged with the scammers.

Key Points: • Scammers are inserting fake invoices into the Shop app to exploit user trust. • Victims are misled into calling a fraudulent support number for assistance. • Users are advised to verify suspicious receipts directly with their banks.