Order-tracking app Shop abused to push callback phishing attacks

Key Points:

• Threat actors are exploiting the Shop app by inserting fake purchase receipts to deceive users into providing sensitive information or installing remote access software.
• The impact includes potential data breaches and financial fraud, affecting users of the Shop app, which has a significant user base in North America.
• Users are advised to avoid calling any phone numbers listed on suspicious receipts and to verify charges directly with their banks. Those who have shared sensitive information should reset passwords and contact their card issuer.

Technical Details: Scammers are utilizing social engineering tactics through the Shop app, impersonating trusted brands to deliver fraudulent notifications. There is no evidence that the Shop app or Shopify has been compromised.

MITRE ATT&CK Techniques:

• T1566.001 - Phishing: Callback Phishing (Initial Access)

IOCs Mentioned: None mentioned