More PayPal emails hijacked to deliver tech support scams


Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.

In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members. Recently, ConsumerWorld org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.

Read more…
Source: Malwarebytes Labs


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Ukraine’s DELTA military system users targeted by info-stealing malware

    December 19, 2022

    A compromised Ukrainian Ministry of Defense email account was found sending phishing emails and instant messages to users of the ‘DELTA’ situational awareness program to infect systems with information-stealing malware. The campaign was highlighted in a report today by CERT-UA (Computer Emergency Response Team of Ukraine), which warned Ukrainian military personnel of the malware attack. DELTA is ...

  • CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

    December 19, 2022

    At the end of September, GTSC reported an attack on critical infrastructure that took place in August. During the investigation, experts found that two 0-day vulnerabilities in Microsoft Exchange Server were used in the attack. The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to ...

  • A Closer Look at Windows Kernel Threats

    December 19, 2022

    Windows kernel threats have long been favored by malicious actors because it can allow them to obtain high-privileged access and detection evasion capabilities. These hard-to-banish threats are still crucial components in malicious campaigns’ kill chains to this day. In fact, SentinelOne recently discovered malicious actors abusing Microsoft-signed drivers in targeted attacks against organizations in the ...

  • API Vulnerabilities Discovered in LEGO Marketplace

    December 19, 2022

    Application programming interface (API) security vulnerabilities have been discovered in a LEGO resale platform owned by LEGO® Group, which could have put sensitive customer information at risk. An investigation by Salt Security’s research team, Salt Labs, found two API security flaws within BrickLink, an online marketplace to buy and sell LEGO parts, Minifigures and sets, which ...

  • Restaurant CRM platform ‘SevenRooms’ confirms breach after data for sale

    December 18, 2022

    Restaurant customer management platform SevenRooms has confirmed it suffered a data breach after a threat actor began selling stolen data on a hacking forum. SevenRooms is a restaurant customer relationship management (CRM) platform used by international restaurant chains and hospitality service providers, such as MGM Resorts, Bloomin’ Brands, Mandarin Oriental, Wolfgang Puck, and many more. On December ...

  • Glupteba malware is back in action after Google disruption

    December 17, 2022

    The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago. In December 2021, Google managed to cause a massive disruption to the blockchain-enabled botnet, securing the court orders to take control of the botnet’s infrastructure and filing complaints against two Russian operators. Nozomi now ...