GoKawiilThreat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users' order histories to trick them into providing sensitive data or installing remote access software.
The Shop digital shopping assistant serves as a centralized platform where users can track orders from multiple online retailers, access receipts and shipping updates, and discover and purchase products from merchants that use Shopify.
The app is very popular in North America, where support and purchasing options are more substantial. It has 50 million downloads on Google Play and 7 million ratings in Apple's App Store.
According to cybersecurity company Gen Digital, scammers are inserting fake orders that appear alongside legitimate purchases, impersonating brands such as Norton, McAfee, Apple, and PayPal.
Fake Norton purchase receipt in the Shop app
Source: Gen Digital
The threat actor also listed a phone number in the digital receipts that users can call to dispute purchases. However, at the other end is a scammer posing as a support agent.
Using social engineering tactics, the fraudster tries to convince the victim to disclose account credentials, payment card details, and temporary authentication codes (OTPs).
In some cases, the researchers say that victims are tricked into installing software that grants remote access to the device.
Gen Digital researchers note that inserting the fake receipts in the Shop app is a more effective method than using email to deliver fraudulent purchase notifications, a more common technique known as callback phishing.
... continue reading