Shopify Shop App Abused for Callback Phishing Attacks

A sophisticated social engineering campaign is currently targeting users of the Shopify ‘Shop’ mobile application, leveraging the app’s automated synchronization features to facilitate Phishing attacks. By injecting fraudulent order receipts into the legitimate app interface, threat actors are bypassing traditional email security filters and establishing a high degree of trust with potential victims. This method is a variation of the BazarCall or ‘callback’ phishing TTP, which relies on a telephone conversation to finalize a compromise.

Technical Analysis: How to Detect Callback Phishing in Mobile Apps

The attack begins when a threat actor sends a specially crafted email to a target’s inbox—most commonly a Gmail or Outlook account. These emails are designed to mimic order confirmations or shipping updates from major retailers. According to BleepingComputer, the Shop app automatically scans the user’s linked email accounts for order-related data to provide a centralized tracking dashboard.

When the app identifies these fraudulent emails, it parses the metadata and populates the ‘Orders’ tab within the official Shop app with a new entry. To the user, this appears as a legitimate transaction verified by a trusted platform. The fraudulent entries typically involve high-value items, such as expensive electronics or luxury goods, to create a sense of urgency. The ‘order’ details within the app include a phone number for ‘customer support’ to resolve discrepancies.

Because the notification originates from within a trusted mobile application, the user is less likely to suspect a scam than if they received a standalone email. When the victim calls the provided number to dispute the charge, they are connected to a fraudulent call center. The threat actors then use various social engineering tactics to convince the victim to install remote desktop software—such as AnyDesk or ScreenConnect—under the guise of ‘assisting’ with a refund or securing the account. Once the software is installed, the attackers gain full control over the victim’s device, enabling data exfiltration, the deployment of additional malware, or Lateral Movement within a corporate network.

Impact and Attribution

While no specific APT has been definitively linked to the Shop app abuse, the methodology mirrors the operations of groups like Luna Moth (also known as Silent Ransom Group). These actors frequently eschew traditional exploit-based delivery in favor of human-centric interaction. The primary risk of these Shop app callback phishing attacks is the bypassing of EDR and email gateway solutions. Since the initial ‘malicious’ payload is a legitimate app notification and the second stage is a phone call followed by the installation of a legitimate (though unauthorized) remote access tool, traditional signature-based detection often fails.

For a SOC team, this represents a significant challenge in visibility. The ‘living off the land’ nature of using a popular consumer app means that defenders must look beyond technical vulnerabilities and monitor for unusual user behaviors and the unauthorized presence of remote management tools on endpoints.

Mitigation and Shop App Security Best Practices

Defenders should prioritize awareness and policy-based controls to counter this threat. Implementing Shopify Shop app security best practices within an organization can significantly reduce the risk of successful compromise.

• User Awareness Training: Employees should be educated on the existence of app-based phishing. Emphasize that official applications can be manipulated to show fraudulent data and that support numbers should always be verified via the official merchant website.
• Software Restriction Policies: Use SIEM and device management policies to block or alert on the installation of common remote access tools that are not part of the standard corporate image.
• Verification Protocols: Advise users to check their actual bank and credit card statements through official banking apps or websites before reacting to a notification in a third-party tracking app.
• App Permission Review: Users should be encouraged to limit the permissions granted to third-party tracking apps, specifically the ability to read and scan private email accounts automatically.