Fake USB Memory Sticks sold via Shopify

Fake sticks

About 6 weeks ago I was served an advert on Facebook which promoted a 2TB memory stick. The sticks were being sold for $19.99, or I could buy three USB sticks and get one free. There were thousands of likes, comments and shares on this post, with many users saying that they had received their sticks and that they worked. It was clearly fake; this type of scam has been around for a while, and was written about by Novatech three years ago. To my knowledge, the only 2TB memory stick that exists costs over £1,000 and is a far bulkier device. I warned other users in the comments section, only for it to be removed and to be blocked from commenting on the post.

Without wanting to rehash Novatech’s post, the gist is that fraudsters modify the firmware of low capacity USB sticks to make them report a higher capacity. For instance, they will take cheap 4GB memory sticks and edit the firmware to make them report as a 2TB, and then market them as a high capacity stick. Memory sticks modified in this way will initially appear to work, in that files can be written to them… however, once the true capacity of the stick is exceeded, irreversible data loss will occur. The tools required to make these changes can be found with relative ease using Google, and there are some legitimate tools like f3 which aim to detect and correct these fake sticks.

This post isn’t really about the existence of fake USB sticks. The Facebook advert linked to this page: https://rdplummy.com/products/2tb-usb?variant=33660487303213. The footer claimed that the store was “Powered by Shopify”, and proceeding to the checkout page and inspecting network requests seemed to confirm this to be the case.

rpldummy network inspector showing Shopify requests

Having determined who was hosting the store, I decided to report it to Shopify as an acceptable use policy violation. They provide an easy to use form to do this. I have successfully reported phising sites to hosting providers in the past, and was expecting it to be removed (or to at least hear back from them) very quickly. I made it clear in my report that the company was currently promoting the product via Facebook ads, and that I was concerned that people were actively being scammed.

A week passed by, and I heard nothing back, so I decided to Tweet Shopify (CCing their CEO) about it.

Despite Shopify replying to others on Twitter, I heard nothing back, so decided to DM them. I got a reply just 7 minutes later, asking me to report it as an AUP violation. I explained that I had already done this, and they assured me that “if you’ve filed the report then our internal team will be on it”, but that I wouldn’t hear anything back about the report unless they needed further information.

Twitter DMs with Shopify support

A week passed, and the page was still up. I sent another message, to be told that they had a queue of AUP reports which were being worked through as quickly as possible. Another 2 weeks passed, and I checked in again, only to be ignored. I then sent another message a week later, and another the following week. Meanwhile, I also periodically tweeted Shopify, Shopify Support, and some of the Shopify leadership team to try and get an update on the matter.

It is now a month and a half since my report, and I have given up trying to report this to Shopify. Having previously heard a lot of great things about the way Shopify does business, I was genuinely disappointed that the matter was handled so badly.

I can understand that Shopify may have been understaffed over the last few months, but if they have enough resources to provision new stores and handle other day-to-day operations, it is totally unacceptable for it to take months to take down a fraudulent store. Dealing with fraud should be a high priority, but my experience suggests that it is not.

There seem to be countless other Shopify stores selling fake USB sticks – a very superficial Google search turned up these results:

Shopify, please do better.