- Fraudsters abuse PayPal’s subscription feature to inject phishing messages into legitimate PayPal emails
- A manipulated customer service URL and a Google Workspace listing forwarding spread the fake messages widely
- PayPal says it’s fixing the problem and urges users to treat unexpected subscription emails with caution
Fraudsters use PayPal’s “Subscriptions” feature to send convincing phishing emails and trick users into giving away access to their accounts on the platform.
Subscriptions is a feature that lets businesses bill customers automatically on a fixed schedule. Customers sign up once and accept recurring payments, which PayPal then processes automatically.
If the company cancels a person’s subscription, that person is notified via email that comes directly from PayPal’s servers, and as such passes most email security scans.
Abuse of mailing lists
So how do fraudsters abuse this feature?
Seam Bleeping Computer explains, the email contains a customer service URL that the crooks somehow managed to change to include the phishing message. At this time, it is unknown how they achieved it, and it is speculated that they are either abusing a bug in how PayPal handles subscription metadata, or using an API or an older platform.
The message contains phishing content that we are used to seeing in these scams – warning recipients that they have purchased an expensive item and that if they wish to cancel the order, they should call PayPal at the phone number provided in the message.
However, this still does not answer the question of how victims received this message if they never subscribed to a particular company.
Apparently the original email is sent to only one address – “[email protected]”. The researchers believe this is a Google Workspace mailing list that automatically forwards the email to all other group members, who in this case are the victims.
“This forwarding may cause all subsequent SPF and DMARC checks to fail as the email was forwarded by a server that was not the original sender,” the publication wrote.
PayPal was notified of the abuse and confirmed it is currently working on a fix:
“PayPal does not tolerate fraudulent activity and we work hard to protect our customers from ever-evolving phishing scams,” PayPal said Bleeping Computer.
“We are actively mitigating this case and encourage people to always be vigilant online and aware of unexpected messages. If customers suspect they are the target of a scam, we recommend contacting customer support directly through the PayPal app or our contact page for assistance.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
