Order-tracking app Shop abused to push callback phishing attacks
Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users' order histories to trick them into providing sensitive data or installing remote access software. [...]
AI Analysis
Technical Summary
The Shop app from Shopify, which aggregates order tracking and receipts from multiple retailers, is being exploited by threat actors who add fake purchase receipts to users' order histories. These fake receipts impersonate brands like Norton, McAfee, Apple, and PayPal and include phone numbers that connect victims to scammers. The scammers use callback phishing techniques to obtain account credentials, payment card details, and OTPs, and sometimes convince victims to install remote access software. The fraudulent receipts appear alongside legitimate orders, increasing their credibility. The source of the fake receipts is unclear, with possibilities including email parsing or account association, but no definitive delivery channel has been identified. There is no indication that Shop or Shopify infrastructure has been breached.
Potential Impact
Users of the Shop app may be deceived into providing sensitive personal and financial information or installing malicious software that grants remote access to their devices. This can lead to account compromise, financial fraud, and unauthorized device control. The phishing attacks exploit user trust in the legitimate app, increasing the likelihood of successful social engineering. No direct compromise of Shop or Shopify systems has been found, indicating the threat arises from external manipulation of order data sources.
Mitigation Recommendations
No official patch or fix is available as this is a phishing abuse of the app's order display functionality rather than a software vulnerability. Users are advised not to call phone numbers listed on suspicious receipts and to verify any unexpected charges directly with their banks. Those who have disclosed sensitive information should immediately reset passwords and contact their card issuers to cancel affected payment methods. Monitoring for suspicious orders and educating users about callback phishing risks can help reduce impact. Since the vendor has not confirmed any compromise or fix, patch status is not yet confirmed — check vendor advisories for updates.
Order-tracking app Shop abused to push callback phishing attacks
Description
Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users' order histories to trick them into providing sensitive data or installing remote access software. [...]
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Shop app from Shopify, which aggregates order tracking and receipts from multiple retailers, is being exploited by threat actors who add fake purchase receipts to users' order histories. These fake receipts impersonate brands like Norton, McAfee, Apple, and PayPal and include phone numbers that connect victims to scammers. The scammers use callback phishing techniques to obtain account credentials, payment card details, and OTPs, and sometimes convince victims to install remote access software. The fraudulent receipts appear alongside legitimate orders, increasing their credibility. The source of the fake receipts is unclear, with possibilities including email parsing or account association, but no definitive delivery channel has been identified. There is no indication that Shop or Shopify infrastructure has been breached.
Potential Impact
Users of the Shop app may be deceived into providing sensitive personal and financial information or installing malicious software that grants remote access to their devices. This can lead to account compromise, financial fraud, and unauthorized device control. The phishing attacks exploit user trust in the legitimate app, increasing the likelihood of successful social engineering. No direct compromise of Shop or Shopify systems has been found, indicating the threat arises from external manipulation of order data sources.
Mitigation Recommendations
No official patch or fix is available as this is a phishing abuse of the app's order display functionality rather than a software vulnerability. Users are advised not to call phone numbers listed on suspicious receipts and to verify any unexpected charges directly with their banks. Those who have disclosed sensitive information should immediately reset passwords and contact their card issuers to cancel affected payment methods. Monitoring for suspicious orders and educating users about callback phishing risks can help reduce impact. Since the vendor has not confirmed any compromise or fix, patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/order-tracking-app-shop-abused-to-push-callback-phishing-attacks/","fetched":true,"fetchedAt":"2026-06-25T19:46:15.956Z","wordCount":761}
Threat ID: 6a3d85874853345fc161f722
Added to database: 06/25/2026, 19:46:15 UTC
Last enriched: 06/25/2026, 19:46:25 UTC
Last updated: 06/26/2026, 02:24:36 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.