Fake purchase receipts in Shop app used in callback phishing attacks

Attackers are exploiting the Shop order-tracking application, a widely used mobile app from Shopify, by injecting fraudulent purchase receipts into users' order histories. These fabricated entries mimic legitimate transaction notifications, luring recipients into believing they have been charged for an item they did not purchase.

The scheme, documented by cybersecurity researchers, relies on callback phishing. Victims see a fake receipt in the app, often with a toll-free number to call for a refund. When they dial, the attacker poses as a support agent and coaxes them into revealing credentials, payment details, or installing remote access software.

Shop's open integration framework allows third-party merchants and systems to push order updates into a user's feed. This design, meant for convenience, is being exploited by adversaries to inject malicious entries without breaching the app's core infrastructure. Indicators of compromise include unexpected order notifications for high-value items such as electronics or luxury goods.

Shopify has acknowledged the abuse. The company recommends users verify any suspicious order by checking their linked payment accounts directly, rather than calling numbers provided in the app. No official patch has been announced; the issue stems from how order data is accepted, not a software vulnerability. Users can reduce risk by enabling two-factor authentication and avoiding calls to numbers embedded in order details.

Attribution remains unclear, though the technique aligns with known fraud gangs operating out of India and Southeast Asia. The attack exploits user trust in a legitimate brand, making it particularly insidious. As Shop boasts over 100 million downloads, the potential victim pool is vast.