Small charges from Shopify-charge.com are appearing on credit card statements worldwide. The charges appear to originate from a legitimate Shopify site, but many affected users claim never to have used their cards on Shopify.
The spate of charges, often for USD0 or USD1, has led to speculation that these charges may be related to a recent third-party data breach at a Shopify vendor, although no payment information was exposed in the breach.
“Recent reports of small, unauthorised charges from Shopify-charge.com on credit cards may seem minor, but these charges could indicate a broader cyber threat,” said Patrick Tiquet, Vice President of Security and Compliance at Keeper Security. “Attackers often use such inconspicuous transactions to test the validity of compromised card numbers. By making small transactions the cardholder is unlikely to notice, they can evade immediate detection and exploit valid cards before either the cardholder or issuer is alerted to the suspicious activity.”
The Bleeping Computer outlet notes the charges have involved physical and virtual credit cards of all types, including those from Discover, Monzo, Capital One, and other Visa cards. Some people report that charges were also attempted against older deactivated cards.
“While the exact reasons behind these charges remain unclear, there are steps to mitigate their impacts,” added Tiquet. “Consumers should vigilantly monitor their credit card statements for any unauthorised transactions. Utilising credit monitoring services and dark web monitoring can also provide an added layer of protection. These services alert users if their personal information appears on illicit forums or marketplaces, allowing them to act quickly if their data is compromised. Consumers should also change the passwords for their Shopify account and any other retail sites that may be powered by Shopify.”
The charges started on or about July 21st, with the number of impacted people increasing since then. Late last week, Shopify stated publicly that the charges are unrelated to the company’s recent vendor data breach.
“For businesses, especially those using e-commerce platforms like Shopify, maintaining robust security practices is vital,” said Tiquet. “A multi-phase approach to cybersecurity, including conducting regular employee training to minimise human error, implementing password and privileged access management solutions to secure sensitive systems and keeping software updated with the latest security patches will protect against most cyber threats and limit the blast radius if a successful cyber attack occurs.”