SHOPIFY'S SHOP APP WEAPONIZED FOR PHISHING

Cybercriminals are leveraging the Shop app's order history feature to conduct callback phishing campaigns. By adding fraudulent receipts to legitimate user accounts, attackers create convincing social engineering lures that prompt victims to contact support numbers or click malicious links. Once engaged, victims are directed to provide personal information, financial details, or download remote access tools that compromise their systems. The attack exploits user trust in the Shop platform and the familiarity of legitimate order notifications. Shop users should verify receipts against actual purchases and avoid clicking links from unexpected notifications. Contacting Shopify directly through official channels before responding to suspicious order alerts provides additional protection. This campaign highlights how legitimate apps can be weaponized when security controls fail to prevent unauthorized account modifications. Shopify has not publicly confirmed the scope of the abuse or announced remediation steps.