More PayPal emails hijacked to deliver tech support scams


Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.

In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members. Recently, ConsumerWorld org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.

Read more…
Source: Malwarebytes Labs


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Examining New DawDropper Banking Dropper and DaaS on the Dark Web

    August 2, 2022

    Malicious actors have been surreptitiously adding a growing number of banking trojans to Google Play Store via malicious droppers this year, proving that such a technique is effective in evading detection. Additionally, because there is a high demand for novel ways to distribute mobile malware, several malicious actors claim that their droppers could help other ...

  • Website of Taiwan’s presidential office receives overseas cyber attack

    August 2, 2022

    The website of Taiwan’s presidential office received an overseas cyber attack on Tuesday and was at one point malfunctioning, a source briefed on the matter said. The website was shortly brought back online, the source told Reuters. U.S. House of Representatives Speaker Nancy Pelosi was expected to arrive in Taipei later on Tuesday, people briefed on ...

  • Bot army risk as 3,000+ apps found spilling Twitter API keys

    August 2, 2022

    Want to build your own army? Engineers at CloudSEK have published a report on how to do just that in terms of bots and Twitter, thanks to API keys leaking from applications. Researchers at the company say they’ve uncovered 3,207 apps leaking Twitter API keys, which can be used to gain access to or even entirely ...

  • SolidBit Ransomware Enters the RaaS Scene and Takes Aim at Gamers and Social Media Users With New Variant

    August 2, 2022

    Trend Micro researchers recently analyzed a sample of a new SolidBit ransomware variant that targets users of popular video games and social media platforms. The malware was uploaded to GitHub, where it is disguised as different applications, including a League of Legends account checker tool (Figure 1) and an Instagram follower bot, to lure in ...

  • Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

    August 2, 2022

    Cisco Talos has discovered a relatively new attack framework called “Manjusaka” (which can be translated to “cow flower” from the Simplified Chinese writing) by their authors, being used in the wild. As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks ...

  • CISA and ACSC Release Top 2021 Malware Strains

    August 2, 2022

    CISA and the Australian Cyber Security Centre (ACSC) have published a joint Cybersecurity Advisory on the top malware strains observed in 2021. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. As malicious cyber actors have been using most of these top malware strains for ...