The Phantom Order: How Fake Receipts in the Shop App Are Driving Vishing Attacks
Cybersecurity landscapes are shifting from external delivery methods, like traditional phishing emails, to sophisticated in-app social engineering. Recently, threat actors have begun exploiting the Shopify ecosystem—specifically the Shop app—to inject fraudulent order histories directly into a user’s legitimate purchase tracking interface.
Security researchers Luis Corrons and Jakub Vavra from Gen have documented multiple campaigns where fake digital receipts appear within the Shop app. These fraudulent entries often impersonate high-trust global brands, including Norton, McAfee, Apple, and PayPal, leveraging the inherent credibility of the platform to bypass a user’s natural skepticism.
The Technical Vector: Exploiting Order Aggregation
The vulnerability lies not in a traditional system breach, but in the exploitation of the Shop app’s core functionality. The app acts as a centralized aggregator, scanning connected email accounts (such as Gmail and Outlook) and Shop Pay transaction histories to provide users with a unified view of their spending. By parsing keywords related to shipping and order confirmations, the app automatically populates the “Orders” tab.
Attackers appear to be manipulating this automated workflow. By utilizing generic merchant names like “My Store,” threat actors can insert entries that mimic high-value transactions—such as expensive antivirus subscriptions, smartphones, or gift cards. These items are strategically chosen to trigger immediate financial anxiety in the recipient.
Key Indicator of Compromise (IoC): The malicious payload is rarely a link; instead, it is a fraudulent support phone number embedded within non-standard metadata fields. Look for contact numbers located in:
- Product descriptions
- Shipping address lines
- Order notes or special instructions
Legitimate automated receipts almost never include support contact information within these specific data fields.
The Attack Lifecycle: From In-App Receipt to Vishing
Once the victim identifies the “unauthorized” charge, the attack transitions from digital deception to Voice Phishing (vishing). The workflow typically follows this pattern:
- The Trigger: The user sees a high-value, unrecognized order in their trusted Shop app.
- The Contact: Panicked, the user calls the “support number” provided in the receipt description.
- The Social Engineering: A scammer, posing as a billing specialist, engages the victim to “cancel” the fraudulent charge.
- The Extraction: The attacker attempts to harvest sensitive data, including login credentials, full credit card numbers, or One-Time Passcodes (OTP).
- The Payload: In advanced stages, victims may be coerced into downloading remote access software (RATs), granting attackers full control over the device.
It is important to note that there is currently no evidence of a direct security breach within Shopify’s core infrastructure or the Shop app’s backend. This appears to be a “feature abuse” scenario, where legitimate merchant onboarding processes or email parsing logic are manipulated to inject malicious strings into the UI.
Mitigation and Best Practices
As attackers move toward “contextual trust”—using the legitimacy of an app to validate a lie—users must adopt a zero-trust mindset regarding in-app notifications.
To protect yourself:
- Verify via Source: If you see an unexpected order, do not use the phone numbers provided in the app. Instead, log in directly to your official banking portal or the official website of the service (e.g., Apple.com) to check your actual billing history.
- Report Anomalies: Use the Shop app’s internal reporting tools to flag suspicious stores and forward phishing attempts to Shopify’s abuse team.
- Ignore Metadata “Support”: Treat any phone number found in a product description or shipping field as a high-risk threat.
The rise of these in-app invoice scams marks a sophisticated evolution in social engineering, requiring users to remain vigilant even within the most trusted corners of their digital lives.