More PayPal emails hijacked to deliver tech support scams


Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.

In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members. Recently, ConsumerWorld org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.

Read more…
Source: Malwarebytes Labs


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • How hackers gain root access to SAP enterprise servers through SolMan

    August 5, 2020

    Researchers have demonstrated how a set of vulnerabilities in SAP Solution Manager could be exploited to obtain root access to enterprise servers. Speaking at Black Hat USA on Wednesday, Onapsis cybersecurity researchers Pablo Artuso and Yvan Genuer explained how the bugs were found in SAP Solution Manager (SolMan), a system comparable to Windows Active Directory. SolMan is ...

  • Canon hit by Maze Ransomware attack, 10TB data allegedly stolen

    August 5, 2020

    Canon has suffered a ransomware attack that impacts numerous services, including Canon’s email, Microsoft Teams, USA website, and other internal applications. BleepingComputer has been tracking a suspicious outage on Canon’s image.canon cloud photo and video storage service resulting in the loss of data for users of their free 10GB storage feature. The image.canon site suffered an outage ...

  • A Cyber ‘Vigilante’ is Sabotaging Emotet’s Return

    August 5, 2020

    The banking trojan Emotet has returned after a five-month hiatus. But, in an amusing twist, one cyber vigilante is thwarting the malware’s comeback. Researchers say a mysterious vigilante is fighting the threat actors behind the malware’s comeback by replacing malicious Emotet payloads with whimsical GIFs and memes. “Emotet was finding default username and password WordPress installs ...

  • Hacker leaks passwords for 900+ enterprise VPN servers

    August 5, 2020

    A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community. According to a review, the list ...

  • Lost in Translation: When Industrial Protocol Translation goes Wrong

    August 5, 2020

    Translation makes it possible to exchange information across the globe, regardless of language differences. Translation plays a similar role in industrial internet of things (IIoT) environments where different devices, such as interfaces, sensors, and machines, use different protocols. Protocol gateways handle the translation of these different protocols in an industrial facility, allowing devices to communicate ...

  • Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)

    August 4, 2020

    An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks. Speaking in a webinar last week, Vincente Diaz, a malware analyst for antivirus maker Kaspersky, said the change happened in May this year when Oilrig added a new tool to its hacking ...