Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users’ order histories to trick them into providing sensitive data or installing remote access software.
The Shop digital shopping assistant serves as a centralized platform where users can track orders from multiple online retailers, access receipts and shipping updates, and discover and purchase products from merchants that use Shopify.
The app is very popular in North America, where support and purchasing options are more substantial. It has 50 million downloads on Google Play and 7 million ratings in Apple’s App Store.
According to cybersecurity company Gen Digital, scammers are inserting fake orders that appear alongside legitimate purchases, impersonating brands such as Norton, McAfee, Apple, and PayPal.
Source: Gen Digital
The threat actor also listed a phone number in the digital receipts that users can call to dispute purchases. However, at the other end is a scammer posing as a support agent.
Using social engineering tactics, the fraudster tries to convince the victim to disclose account credentials, payment card details, and temporary authentication codes (OTPs).
In some cases, the researchers say that victims are tricked into installing software that grants remote access to the device.
Gen Digital researchers note that inserting the fake receipts in the Shop app is a more effective method than using email to deliver fraudulent purchase notifications, a more common technique known as callback phishing.
Shop is a legitimate shopping app, and users inherently trust it, so orders that appear there are far more likely to prompt responses from unsuspecting users.
However, the researchers say that many of the false receipts contain poor grammar, which is an obvious red flag. Nevertheless, users may miss the mistakes when they see an invoice for a large purchase.
Despite the observed wave of fraudulent invoices, it is unclear how they are inserted into the Shop app.
The researchers say that Shop can populate orders from multiple sources, including email parsing, account association, and order workflows, but no particular one could be confirmed as the delivery channel for the fraudulent notifications.
Gen Digital underlines that they found no evidence that Shop, Shopify, or any of the impersonated companies were compromised.
BleepingComputer has reached out to Shopify with related questions, but we have not received a response as of publishing.
Until the situation clears up, users who see receipts for orders they didn’t place on Shop are advised not to call the phone number listed on them, but instead to verify any alleged charge directly with their bank.
Those who have already contacted the scammers and disclosed sensitive information should immediately reset their account passwords and contact their card issuer for cancellation.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
