Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.
In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members. Recently, ConsumerWorld org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.
Read more…
Source: Malwarebytes Labs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Stolen Credentials Led to Data Theft at United Nations
September 10, 2021
A threat actor used stolen credentials from a United Nations employee to breach parts of the UN’s network in April and steal critical data, a spokesman for the intergovernmental organization has confirmed. That data lifted from the network can be used to target agencies within the UN, which already has experienced and responded to “further attacks” ...
- SOVA, Worryingly Sophisticated Android Trojan, Takes Flight
September 10, 2021
A new Android banking trojan named SOVA (“owl” in Russian) is under active development, researchers said, and it has big dreams even in its infancy stage. The malware is looking to incorporate distributed denial of service (DDoS), man in the middle (MiTM) and ransomware functionality into its arsenal – on top of existing banking overlay, ...
- Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
September 9, 2021
Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger. It should be noted that by default, Office documents downloaded from the internet are opened either ...
- Hackers leak passwords for 500,000 Fortinet VPN accounts
September 8, 2021
A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid. This leak is a serious incident as the VPN ...
- AT&T Alien Labs warns of ‘zero or low detection’ for TeamTNT’s latest malware bundle
September 8, 2021
AT&T’s Alien Labs security division has sounded the alarm on a malware campaign from TeamTNT which, it claims, has gone almost entirely undetected by anti-virus systems – and which is turning target devices into cryptocurrency miners. Described by Alien Labs researcher Ofer Caspi as “one of the most active threat groups since 2020,” TeamTNT is known ...
- Russia’s Yandex suffers biggest cyberattack yet
September 8, 2021
Russian Internet corporation Yandex revealed on Tuesday that the company’s servers experienced the biggest known denial-of-service (DDoS) attack in Russia’s online space last weekend. Cloudflare, an American web infrastructure firm and a partner of Yandex confirmed the record large scale of the cyberattack. The spokesperson for Russia’s tech giant mentioned that a part of the nation’s ...

