Threat actors are exploiting the Shopify order-tracking app, Shop, by inserting fake purchase receipts to deceive users into providing sensitive information or installing malicious software. Users are advised to be cautious of any unfamiliar receipts and to verify charges directly with their banks instead of contacting the phone numbers listed in the fraudulent invoices.
Threat actors are exploiting Shopify's order-tracking app, Shop, to conduct callback phishing attacks by inserting fake purchase receipts into users' order histories, thereby leveraging the platform's inherent trust. This highlights the critical need for cybersecurity teams to enhance threat detection capabilities specifically for legitimate platforms that can be manipulated for phishing, and to educate users on verifying suspicious activities through secure and direct channels rather than provided contact information.