More PayPal emails hijacked to deliver tech support scams


Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.

In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members. Recently, ConsumerWorld org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.

Read more…
Source: Malwarebytes Labs


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Countering hack-for-hire groups

    June 30, 2022

    As part of TAG’s mission to counter serious threats to Google and our users, we’ve published analysis on a range of persistent threats including government-backed attackers, commercial surveillance vendors, and serious criminal operators. Today, we’re sharing intelligence on a segment of attackers we call hack-for-hire, whose niche focuses on compromising accounts and exfiltrating data as ...

  • The SessionManager IIS backdoor

    June 30, 2022

    Following on from Kaspersky earlier Owowa discovery, Kaspersky researchers continued to hunt for more backdoors potentially set up as malicious modules within IIS, a popular web server edited by Microsoft. And they didn’t come back empty-handed… In 2021, Kaspersky noticed a trend among several threat actors for deploying a backdoor within IIS after exploiting one of ...

  • Hacking the Crypto-Monetized Web

    June 30, 2022

    The web is several decades old. But it largely still relies on the same method of monetization as it always has: advertising. However, things are changing thanks to the power of cryptocurrency and blockchain. It’s what Trend Micro has coined the “crypto-monetized web” (CMW). But where there’s money to be made and users to be ...

  • Burrowing your way into VPNs, Proxies, and Tunnels

    June 29, 2022

    When considering an attack lifecycle from an adversarial perspective, the adversary has a few options on how to proceed at each step. One of questions that needs to be answered is whether the adversary will use publicly known malware (i.e. BEACON), custom built-from-the-ground-up malware (i.e. HAMMERTOSS), or legitimate software and services (i.e. SoftEther Virtual Private ...

  • ZuoRAT is targeting routers to break into networks

    June 29, 2022

    A newly discovered remote access trojan (RAT) called ZuoRAT has targeted remote workers by exploiting flaws in often unpatched small office/home office (SOHO) routers. Researchers at Lumen’s Black Lotus Labs threat intelligence unit report that ZuoRAT is part of a highly targeted, sophisticated campaign that has been targeting workers across North America and Europe for nearly ...

  • FCC Commissioner urges Google and Apple to ban TikTok

    June 29, 2022

    “TikTok is not just another video app. That’s the sheep’s clothing.” That’s what Brendan Carr wrote in his tweet along with a copy of the letter he sent Apple and Google, asking the companies to remove TikTok from their app stores. The agency’s senior Republican commissioner references a recent BuzzFeed News report that examined leaked ...