Shopify's Shop App Hijacked to Deliver Callback Phishing and Remote Access Malware

Threat actors are actively abusing Shopify's Shop app — the order-tracking companion installed on tens of millions of consumer devices — by planting fake purchase receipts directly inside users' order histories. The app then surfaces legitimate-looking notifications, prompting victims to investigate a charge they never made.

What Happened

Attackers have found a way to inject fraudulent orders into Shop's order feed. Each fake receipt includes a phone number presented as customer support. When the victim calls to dispute the charge, they reach a live attacker posing as a Shopify agent who walks them through "canceling the order" — a process that ends with the victim installing remote access software such as AnyDesk or ScreenConnect, handing the attacker full control of their machine.

This is a callback phishing (TOAD — Telephone-Oriented Attack Delivery) campaign adapted to exploit the trusted context of a widely deployed retail app. Because the initial hook is a push notification inside a legitimate app rather than a suspicious link or email, standard defenses — spam filters, URL reputation engines, and phishing-aware gateways — are bypassed entirely. The phone call step applies high-pressure social engineering at the exact moment victims are already financially anxious about an unexpected charge.

Why It Matters

Shop is installed on personal devices that frequently belong to employees who also access corporate resources. A successful callback phishing call gives the attacker an authenticated beachhead: saved credentials, active VPN sessions, corporate SaaS tokens, and browser-stored passwords are all in scope. The attack scales effortlessly — Shopify's massive merchant ecosystem provides unlimited realistic order data to mimic, and the technique requires no malware delivery infrastructure beyond a phone number and a remote access binary that most endpoint tools don't block by default.

What To Do

1. Send an advisory today. Notify users, helpdesk staff, and your security team: Shop will never ask you to call a number to cancel an order or install software. Shopify handles refunds through the app itself, not over the phone.

1. Flag unauthorized remote-access installs. If your EDR or MDM alerts on AnyDesk, ScreenConnect, or similar tools being installed outside your approved software list, treat it as a probable TOAD incident and investigate immediately.

1. Review Shopify merchant templates. If your organization operates a storefront, audit your order confirmation and notification templates for unauthorized modifications, and report anomalies through Shopify's official support.

1. Add callback phishing to your awareness training. TOAD campaigns have been flagged as an escalating vector by both the FBI and CISA. A scenario where a "receipt notification" leads to a support call is now required training material.

If a user has already installed software at an attacker's direction, isolate the device immediately, revoke all active sessions, and rotate credentials for every account that was accessible from that machine.