We see lots of phishing attempts for banking, Paypal and other login credentials. This is newer entry to the lists. I don’t often see Shopify phishing emails. I was quite suprised to see a double phishing scam here. First asking for your Shopify shop address, then your email address associated with the shop, then log in password for the shop. Then to add a bit of flavour they ask you to link your PayPal account and want that email address & password.
This phisher is out of luck and the site has been reported for immediate takedown. I don’t expect it to be up much longer.
The same warning that applies to all emails alleging to be from a financial body applies here. All emails should be personally addressed by name, not Dear Member or similar. If it doesn’t have your name & correct email address in the to: line then immediately treat as suspicious.
They use email addresses and subjects that will entice a user to read the email and open the attachment.
You can now submit suspicious sites, emails and files via our Submissions system
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: Shopify <firstname.lastname@example.org>
Date: Thu 21/03/2019 13:40
Subject: Urgent: Payments for 2 orders expire today
You need to manually capture payments for 2 orders to charge your customers for their purchases.
If you don’t capture the payments before March 23, 2019 at 8:42 am PST, they will expire and you won’t get paid for these sales.
To automatically capture payment for orders, edit your payment settings.
Find out how to capture payments at the Shopify Help Center.
© Shopify | 150 Elgin Street, Ottawa ON, K2P 1L4
If you follow the link you see a webpage looking like this: https://myshopify-capture-llc.ml/en/store-login/
After you input your shop address and password you get told that shopify wants to link your paypal account to the shop
Press ” I Give Permission” and you end up on this page asking for your email address and then password associated with Paypal
Next you get a success page
Then you are forwarded to the genuine Shopify site
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
|188.8.131.52||mailex.mailcore.me||GB||AS20773 Host Europe GmbH|
|184.108.40.206||29.ip-158-69-113.net||Montreal||Quebec||CA||AS16276 OVH SAS|
Received: from mailex.mailcore.me ([220.127.116.11]:46782) by my email serverwith esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <email@example.com>) id 1h6xvP-0004kO-6S for firstname.lastname@example.org; Thu, 21 Mar 2019 13:40:03 +0000 Received: from 29.ip-158-69-113.net ([18.104.22.168] helo=WIN7AF2GLE16Q4) by smtp03.mailcore.me with esmtpa (Exim 4.89) (envelope-from <email@example.com>) id 1h6xvP-0006YQ-Ov for firstname.lastname@example.org; Thu, 21 Mar 2019 13:40:04 +0000 thread-index: AdTf65X85w9fUHzdQo2IS7xHK91zDw== Thread-Topic: Urgent: Payments for 2 orders expire today From: =?utf-8?Q?Shopify?= <email@example.com> To: <firstname.lastname@example.org> Subject: Urgent: Payments for 2 orders expire today Date: Thu, 21 Mar 2019 09:40:02 -0400 Message-ID: <D8B52591A33E4A0B86704B232D195266@WIN7AF2GLE16Q4> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_1C901_01D4DFCA.0EEDA470" X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE X-Mailcore-Auth: 439629129 X-Mailcore-Domain: 1957525 X-KLMS-Rule-ID: 1 X-KLMS-Message-Action: clean X-KLMS-AntiSpam-Status: not scanned, license restriction X-KLMS-AntiPhishing: not scanned, license restriction X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server, version 22.214.171.1241, bases: 2019/03/21 06:58:00 #9414304 X-KLMS-AntiVirus-Status: Clean, skipped