Malware Keyboard Key With Fishing Hook
Home Malware Paypal ‘You Sent a Payment’ Malware Emails

Paypal ‘You Sent a Payment’ Malware Emails

by Brett M. Christensen


Emails purporting to be from Paypal claim that the recipient has sent a payment to a person or vendor. The recipient is instructed to click a link to view or confirm transaction details. 

Brief Analysis

The emails are not from Paypal and the claim that a payment has been sent from the recipient’s account is a lie. Links in the emails open compromised websites that harbour information-stealing malware.


Subject: You’ve sent a payment

You sent a payment Transaction ID: 4BK71319AT361831A

Dear PayPal Customer,
You sent a payment for 931.09 AUD to Ray [Surname Removed].

Please note that it may take a little while for your payment to appear in the Recent Activity list on your Account Overview. View the details of this transaction online

Your monthly account statement is available anytime; just log in to your account at [link removed]. To correct any errors, please contact us through our Help Centre at
[Link Removed]

Amount: 931.09 AUD
Sent on: 30 May 2012
Payment method Credit Card Payment
Kind regards,

PayPal Malware Email 1


Subject: Receipt for your payment to AVG

Hello Member,

You sent a payment of 90.00 USD to AVG.

This charge will appear on your credit card statement as payment to PAYPAL *AVGANTS

Seller AVG Technologies

Note to seller You haven’t included a note

. Description Unit price Qty Amount

AVG Anti-Virus 2012 45.00 USD 2 45.00 USD
Shipping and handling 0.00 USD
Tax 0.00 USD

Total 90.00 USD

Do you confirm this payment?
If this payment was not made by you please immediately take the following steps:

* Login to your account by clicking on the link below :
* Provide requested information to ensure you are the owner of the account
* After you did the previous steps the order will be cancelled.
* We will refund your money to you and the payment will deleted from transactions history.


PayPal Malware email 2


Detailed Analysis

According to these fraudulent emails, the recipient has recently sent a substantial payment via his or her Paypal account. Details in the scam emails vary, with some claiming that the money has been sent to purchase software or other items while others claim that the money has been sent directly to a named individual.

The messages are designed to look like genuine Paypal emails and include seemingly genuine Paypal logos and formatting. The emails use spoofed addresses to make it appear that they have been sent from 
However, the emails are not from Paypal and the claims that the recipient has sent a payment via Paypal are untrue. In fact, all links in the bogus emails open compromised websites that ask the user to wait while the page finishes loading.

But, alas, the Paypal website will not load as the user expects. Instead, the page will automatically redirect the visitor to another website that contains a version of the Blackhole Exploit Kit. BlackHole is a web application used by criminals to exploit browser vulnerabilities as a means of downloading and installing trojans and other types of malware.

The criminals responsible for this operation hope that at least a few recipients will be panicked into clicking the links in the bogus emails in the mistaken belief that their Paypal account or credit card has been compromised. If a recipient does fall for the ruse and follow one of the links, a trojan may be downloaded and installed on his or her computer. This trojan may monitor web browser use and collect usernames and passwords including online banking login details. This information can then be sent back to the criminals.

Online criminals have recently carried out a number of similar attacks with the aim of fooling users into visiting websites that host the BlackHole Exploit Kit. At the time of writing, bogus Verizon Wireless bills that lead to Blackhole Exploit Kit sites continue to be distributed.

Earlier in 2012, a series of malware emails purporting to be airline flight confirmation messages again pointed recipients to compromised sites that harboured BlackHole. And, in December 2011, fake order notifications were distributed that also contained links to BlackHole websites.

BlackHole is a widely used criminal toolkit and such attacks are likely to continue. Be very cautious about clicking links in emails, even if they appear to be legitimate. Some such attacks are quite sophisticated and it may be difficult – at least without careful examination – to tell the difference between a bogus email and a genuine notification.

Rather than click on email links, it is safer to open your browser and go to the service provider’s website directly by entering the web address. And, of course, always ensure that you have installed the latest security updates for your browser and operating system and have up-to-date antivirus and anti-malware protection on your computer.

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,