Shopify's Shop App Abused in Callback Phishing Campaign, Researchers Warn
Threat actors are injecting fake purchase receipts into the popular Shopify order-tracking app Shop to launch callback phishing attacks, according to Gen Digital research.
Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users' order histories to trick them into providing sensitive data or installing remote access software.
The Shop digital shopping assistant serves as a centralized platform where users can track orders from multiple online retailers, access receipts and shipping updates, and discover and purchase products from merchants that use Shopify. The app is very popular in North America, where support and purchasing options are more substantial. It has 50 million downloads on Google Play and 7 million ratings in Apple's App Store.
According to cybersecurity company Gen Digital, scammers are inserting fake orders that appear alongside legitimate purchases, impersonating brands such as Norton, McAfee, Apple, and PayPal. The threat actor also listed a phone number in the digital receipts that users can call to dispute purchases. However, at the other end is a scammer posing as a support agent. Using social engineering tactics, the fraudster tries to convince the victim to disclose account credentials, payment card details, and temporary authentication codes (OTPs). In some cases, the researchers say that victims are tricked into installing software that grants remote access to the device.
Gen Digital researchers note that inserting the fake receipts in the Shop app is a more effective method than using email to deliver fraudulent purchase notifications, a more common technique known as callback phishing. "Shop is a legitimate shopping app, and users inherently trust it, so orders that appear there are far more likely to prompt responses from unsuspecting users," the researchers warn. However, they note that many of the false receipts contain poor grammar, which is an obvious red flag. Nevertheless, users may miss the mistakes when they see an invoice for a large purchase.
Despite the observed wave of fraudulent invoices, it is unclear how they are inserted into the Shop app. The researchers say that Shop can populate orders from multiple sources, including email parsing, account association, and order workflows, but no particular one could be confirmed as the delivery channel for the fraudulent notifications. Gen Digital underlines that they found no evidence that Shop, Shopify, or any of the impersonated companies were compromised.
BleepingComputer has reached out to Shopify with related questions, but has not received a response as of publishing. Without a specific patch or mitigation from Shopify, the attack vector remains open. Until the situation clears up, users who see receipts for orders they didn't place on Shop are advised not to call the phone number listed on them, but instead to verify any alleged charge directly with their bank. Those who have already contacted the scammers and disclosed sensitive information should immediately reset their account passwords and contact their card issuer for cancellation.
This abuse of a trusted e-commerce application represents a worrying evolution in callback phishing. Rather than relying on convincing email spoofing, attackers now leverage the implicit trust users place in a platform that aggregates real purchase data. As shopping apps become central to consumer tracking, threat actors are likely to continue targeting these services, exploiting the thin line between convenience and vulnerability.