Mass newsletter spam and the Paypal account hack

[German]Today a security issue, which was brought to me by a blog reader. A user was spammed with newsletter subscriptions. And at the end of the day it turned out to be a hack of his PayPal account.


German blog reader Markus Weis runs an IT service and we have been in contact for a long time. Markus has already left several notes within my German blog with tips about computer issues. Recently he contacted me by mail with a strange observation.

Massive newsletter spam at a customer

Markus wrote in his first mail: Have you ever seen anything like this before? … or heard about recent similar incidents/victims? He referred to his German blog post Formularspambot läuft Amok? Nutzer erhält tausende eMails mit Newsletteranmeldungen (Newsletter Signup Confirmation Spam). The short version:

A very special help call from a customer reached him recently (February 5, 2020): "Help, our mailbox has been flooded for hours with tens of thousands of emails (newsletter subscriptions, contact form replies) of various origins.

Markus then checked that case and wrote that there are probably spambots active, that exploit/test the contact forms of homepages and abuse them to send spam. This is well known (the CGI script is abused to send spam). But this does not explain what happened at the customer's site. Markus writes about this:

After about 100 random samples it was clearly recognizable that these were primarily genuine newsletter registration confirmation e-mails ("Spam Signups").

That the emails were not fake emails became clear quite quickly when we tried to register for 10 randomly selected newsletters on the homepage of the respective providers. In the concrete case of our customer, more than 8000 such Mails arrived within 5 hours, from all imaginable countries in all imaginable languages: German, English, Spanish, Scandinavian, Dutch, French, Italian, Russian, Chinese, Arabic etc.

I hadn't seen such a thing yet and I couldn't really make sense of it. One thought would be that such a blackmail attempt would be prepared by spam bot: Pay the amount X, if you want to be spared from this newsletter spam. But the explanation is much easier …

Resolution: PayPal hack as cause

I had agreed with Markus to address the topic in my blog, when a second mail reached me. Marcus told me, that he found the reason for this behavior, and even less pleasant. In an addendum to his German blog post Markus reveals the details:


As it turned out in retrospect, the victim's Paypal account was abused; unfortunately the customer had

1) conveniently uses a password for his Paypal account, which he also used on other platforms

2) in the Paypal account and the 2-factor authentication is not activated.

Between the thousands of spam mails were the three Paypal e-mails with the abusive payments/orders.

At this point the whole thing makes sense. Markus writes about this in his blog post:

In order that the emails sent by Paypal of the fraudulent Paypal payment do not attract the attention of the victim, the victim is simply flooded with thousands of emails in which the Paypal mails are buried.

The mass e-mail traffic is over after a few days, because then the goods ordered at a third party's expense have arrived at their destination.

Since the scammers had no access to the victim's mail account, they could not delete the emails that would have revealed dubious transactions on the victim's Paypal account.

So the scammers went for Plan B: …  they flooded the victim's mailbox to make him miss certain e-mails.

The scammers had the work done by a spambot, which abused poorly secured, captcha-less newsletter registration forms. What was also noticed with this approach: How many newsletters there are still that are not GDPR-compliant without double-optin. Thanks to Markus Weiss for the hint – maybe it helps somebody of you.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *