50 million downloads on Google Play and 7 million ratings in Apple's App Store mean Shop users trust the app implicitly - that trust is now the attack surface. Threat actors are abusing Shopify's order-tracking app by injecting fake purchase receipts that appear alongside legitimate orders, according to Gen Digital researchers. The promised refund lures victims into calling a phone number listed on the receipt, where a scammer posing as a support agent tries to steal account credentials, payment card details, and OTPs or trick the victim into installing remote access software.
How scammers weaponize a shopping tracker
Shop aggregates orders from multiple online retailers into a single feed. Users see real deliveries from Amazon, eBay, or direct brand purchases. Now they also see fake invoices impersonating Norton, McAfee, Apple, and PayPal. The psychology is straightforward: people trust the app more than email. Callback phishing via email is old news - getting a notification inside a tool you already use for legitimate purchases bypasses that skeptical filter.
Gen Digital notes that many fake receipts contain poor grammar, but a large dollar amount tends to override red flags. Once the victim calls, the social engineering script follows classic patterns: urgency, authority, and a demand for sensitive data or remote control.
The unknown insertion mechanism
Here is the gap that worries me. Gen Digital confirmed that Shop can populate orders via email parsing, account association, and order workflows, but they could not pinpoint which channel the scammers are exploiting. No evidence suggests Shopify or any impersonated brand was compromised. That means either a credential stuffing campaign against users' email accounts, a Shopify API misconfiguration, or a yet-uncovered attack vector. Until BleepingComputer gets a response from Shopify - they had none as of publishing - we are flying blind on the root cause.
What this means for defenders and users
For users: do not call any phone number on a receipt for an order you didn't place. Verify charges directly with your bank. If you already called and shared information, reset account passwords immediately and contact your card issuer. For security teams: callback phishing is moving from email to trusted third-party platforms. Any app that aggregates user data from external sources becomes a potential trust relay. Monitoring for unexpected order notifications in shopping apps is now a detection requirement.
This attack won't be the last. As platforms like Shop gain more users, the same trust-by-proxy technique will be adapted for other aggregators. The question is whether Shopify and similar platforms can lock down order injection before the next wave hits.
Source: Order-tracking app Shop abused to push callback phishing attacks
Domain: bleepingcomputer.com
Comments load interactively on the live page.