logo

Order-tracking app Shop abused to push callback phishing attacks

ID: f9090638-33e7-53f2-ba3c-debd96ff0a82

STIX ID: report--f9090638-33e7-53f2-ba3c-debd96ff0a82

Feed Name: Bleeping Computer

Threat Score
60/100

Date Published: 2026-06-25

Date Updated: 2026-06-25

Author: Bill Toulas

...
...

Threat actors are abusing the Shopify-provided Shop app by inserting fraudulent order receipts into users' order histories that include phone numbers for 'support' callbacks; victims who call are socially engineered into revealing credentials, payment information, OTPs, or installing remote-access software. Researchers observed impersonation of major brands (Norton, McAfee, Apple, PayPal), could not determine the delivery vector, and advise users to avoid calling numbers on suspicious receipts, verify charges with banks, reset compromised credentials, and contact card issuers if needed.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.