More PayPal emails hijacked to deliver tech support scams


Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.

In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members. Recently, ConsumerWorld org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.

Read more…
Source: Malwarebytes Labs


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Stolen Credentials Led to Data Theft at United Nations

    September 10, 2021

    A threat actor used stolen credentials from a United Nations employee to breach parts of the UN’s network in April and steal critical data, a spokesman for the intergovernmental organization has confirmed. That data lifted from the network can be used to target agencies within the UN, which already has experienced and responded to “further attacks” ...

  • SOVA, Worryingly Sophisticated Android Trojan, Takes Flight

    September 10, 2021

    A new Android banking trojan named SOVA (“owl” in Russian) is under active development, researchers said, and it has big dreams even in its infancy stage. The malware is looking to incorporate distributed denial of service (DDoS), man in the middle (MiTM) and ransomware functionality into its arsenal – on top of existing banking overlay, ...

  • Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs

    September 9, 2021

    Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger. It should be noted that by default, Office documents downloaded from the internet are opened either ...

  • Hackers leak passwords for 500,000 Fortinet VPN accounts

    September 8, 2021

    A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid. This leak is a serious incident as the VPN ...

  • AT&T Alien Labs warns of ‘zero or low detection’ for TeamTNT’s latest malware bundle

    September 8, 2021

    AT&T’s Alien Labs security division has sounded the alarm on a malware campaign from TeamTNT which, it claims, has gone almost entirely undetected by anti-virus systems – and which is turning target devices into cryptocurrency miners. Described by Alien Labs researcher Ofer Caspi as “one of the most active threat groups since 2020,” TeamTNT is known ...

  • Russia’s Yandex suffers biggest cyberattack yet

    September 8, 2021

    Russian Internet corporation Yandex revealed on Tuesday that the company’s servers experienced the biggest known denial-of-service (DDoS) attack in Russia’s online space last weekend. Cloudflare, an American web infrastructure firm and a partner of Yandex confirmed the record large scale of the cyberattack. The spokesperson for Russia’s tech giant mentioned that a part of the nation’s ...