As reported by Bleeping Computer, threat actors are increasingly abusing the Shop order-tracking app from Shopify by inserting fake purchase receipts into users' order histories to trick them into divulging sensitive data or installing remote access software.Scammers are impersonating well-known brands like Norton, McAfee, Apple, and PayPal by adding fake orders to the Shop app, which is popular in North America with over 50 million downloads on Google Play. These fraudulent receipts include a phone number that leads to a scammer posing as a support agent, according to a report by Gen Digital. Using social engineering, the scammer attempts to obtain account credentials, payment card details, and one-time passcodes. In some instances, victims are tricked into installing software that grants remote access to their devices.This method is considered more effective than email-based callback phishing because users inherently trust the Shop app. While many fake receipts contain poor grammar, users might overlook mistakes when seeing an invoice for a large purchase. It remains unclear how these fake receipts are inserted into the app, as Shop can populate orders from multiple sources. Gen Digital, the cybersecurity firm that identified this trend, found no evidence that Shop, Shopify, or the impersonated companies were compromised. Users who see unexpected receipts on Shop should not call the listed number but verify charges directly with their bank.Source: Bleeping Computer
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds