In a new twist, it seems like the actors are sending emails to you through some kind of mailing list, as the article talks about a new TLD called institute.
I don’t know if this is mainly a forwarder or what, but I know that we called this, the fact that new TLD applications we are not taking advantage of.
Jaws picture smart for this says:
The image shows an email notification from “” confirming that a new address was added to a PayPal account. It states that shipping details for a MacBook M4 Max costing $1123.98 have been updated. The provided details include the recipient’s name as “Billing Team” and the address as the Apple Store, 7535 Dadeland Mall, Los Angeles, CA, USA. It advises contacting PayPal support if the change wasn’t authorized and provides instructions for managing the address through the PayPal profile.
Paypal’s phone number is (402) 935-7733 or (888) 221-1161. It is advisable not to call any other toll-free number for Paypal, as this article states, it wants you to download Connect Wise, which we’ve talked about in multiple articles.
Picture smart says:
The image shows a web browser window with the URL “https://kdhelp.site” visible. There are two informational sections with numbered icons and text. It also shows a pop-up dialog box in the foreground titled “Opening support.Client.exe.” The box indicates that it’s an executable file of 82.4 KB from “lokermy.numaduliton.icu” and asks, “Would you like to save this file?” It has two buttons: “Save File” and “Cancel.”
That TLD .icu is one I’ve seen in many spam messages, and I know 0 legitimate .icu domains. If I had my way, I’d be blocking the entire .icu TLD from my server, but I’m not on my own server, so I’m not going to do such a thing.
PayPal needs to really clean up their email foow. The article talks about how this attack is possible, and you’ll want to pay attention.
Remember, just because you get an email indicating you made a purchase, doesn’t mean you did it. Your account will tell you and you should use Paypal’s site directly to log in.
They’re really becoming clever to get people to click now, be on the watch.
Here are the headers that Bleeping Computer saw.
Received: from mx1.phx.paypal.com (mx1.phx.paypal.com. [66.211.170.87])
by mx.google.com with ESMTPS id 41be03b00d2f7-addf237d3e1si10521113a12.387.2025.02.18.07.30.09
for noreply_@usaea.institute
It was unclear at first how these legitimate emails were being sent from PayPal until we noticed this text at the bottom of the email.
“If you want to link your credit card to this address, or make it your primary address, log in to your PayPal account and go to your Profile,” reads the PayPal email notification.
“Since this address is a gift address, you can send packages to it with just a click.”
Further research revealed that “gift addresses” are just additional addresses you can add to your PayPal profile.
In a test, BleepingComputer added a new address to one of our accounts and pasted the scammer’s fake MacBook purchase confirmation message into the Address 2 field.
After saving the address, PayPal sent us the same confirmation email, notifying us of the new address we added, which also included the fake purchase message.
Now that we know how they are generating the email from PayPal, we still do not know how they are getting PayPal to send it to all of the targets.
Upon further analysis of the mail headers, we can see that the email is actually being sent to the address “,” which is the email address associated with the scammer’s PayPal address.
The headers further show that this email address automatically forwards the email it receives to “”, an account associated with a Microsoft 365 tenant.
This account is likely a mailing list, which automatically forwards any email it receives to all other group members. In this case, the members are you and I, the scammer’s targets.
Bleeping computer also writes:
To fix this, PayPal needs to restrict the number of characters in the address field to a reasonable character count, like 50 characters, if not less.
To read the entire artivle icle
Beware: PayPal “New Address” feature abused to send phishing e as we need to be aware of what is going on around here.
Make it a great day.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.
Yeah I don’t get this but I do pay on paypal and if I know what I am getting I know.
This scam stuff is about.