Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.
In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members. Recently, ConsumerWorld org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.
Read more…
Source: Malwarebytes Labs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
October 31, 2022
While advanced persistent threats get the most breathless coverage in the news, many threat actors have money on their mind rather than espionage. You can learn a lot about the innovations used by these financially motivated groups by watching banking Trojans. Because attackers constantly create new techniques to evade detection and perform malicious acts, studying monetarily ...
- New Azov data wiper tries to frame researchers and BleepingComputer
October 30, 2022
A new and destructive ‘Azov Ransomware’ data wiper is being heavily distributed through pirated software, key generators, and adware bundles, trying to frame well-known security researchers by claiming they are behind the attack. The Azov Ransomware falsely claims to have been created by a well-known security researcher named Hasherazade and lists other researchers, myself, and BleepingComputer, ...
- Russian spies ‘hacked Liz Truss’s phone and stole sensitive messages’
October 29, 2022
Liz Truss had her phone hacked by Kremlin spies while she was working as foreign secretary, according to a report. The former prime minister’s personal messages with former chancellor Kwasi Kwarteng were raided, as well as sensitive details of international negotiations, it is claimed. Security services discovered the major security breach during the summer Tory leadership election, ...
- Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign
October 28, 2022
Symantec, by Broadcom Software, has discovered a previously undocumented dropper that is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs. The dropper (Trojan.Geppei) is being used by an actor Symantec calls Cranefly (aka UNC3524), to install another piece of ...
- Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies
October 28, 2022
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint guide to provide organizations proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks. These attacks can cost an organization time and money and may impose ...
- Defeating Guloader Anti-Analysis Technique
October 28, 2022
Unit 42 researchers recently discovered a Guloader variant that contains a shellcode payload protected by anti-analysis techniques, which are meant to slow human analysts and sandboxes processing this sample. To help speed analysis for this sample and others like it, we are providing a complete Python script to deobfuscate the Guloader sample that is available ...

