Fake Shopify Deactivation Notice Exploits Telegram to Harvest Sensitive Information in Likely AI-Generated Attack
In this likely AI-generated phishing attack, cybercriminals use a malicious Gmail address to impersonate Shopify. The email claims that the recipient’s Shopify account is at risk of deactivation due to potential violations of the Terms of Service. With the subject line “(Notice) Account Deactivation Imminent,” the email employs urgency to provoke immediate action. Recipients are urged to contact Shopify Support via a link, “t[.]me/help_shopifysupport,” which redirects to a Telegram page. There, a button encourages users to message a fraudulent support account. The attacker aims to harvest sensitive information by deceiving recipients into interacting with the fake support channel. This attack exploits the trusted Shopify brand and urgency of account deactivation to trick recipients into bypassing their usual skepticism and increase the likelihood of success.
Older, legacy email security tools struggle to identify this email as an attack because it is sent from a reputable email provider, contains legitimate links to recognizable domains, and contains no suspicious attachments. Modern AI-powered email security solutions excel at recognizing suspicious patterns in such communications. These tools can detect the mismatch between the sender's domain and name, identify that the email is coming from an unknown sender, and recognize that the sending domain does not match any of the domains in the body links. Organizations can significantly reduce the risk of such attacks by deploying advanced AI solutions and educating users about common phishing tactics.
Likely AI-generated phishing email mimicking a Shopify account deactivation notice
Legitimate Telegram page exploited by Shopify impersonator
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Reputable Email Provider: The attacker uses a free hosting email service, which is less likely to be blacklisted and can bypass basic email filters.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to its legitimate structure.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising suspicion during Abnormal’s analysis.
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.