Security researchers have discovered a coordinated attack campaign targeting Google’s advertising ecosystem and PayPal’s merchant tools to steal sensitive user data. The operation begins with threat actors deploying Google Search ads that mimic PayPal’s branding, including logos and meta descriptions. These ads exploit a loophole in Google’s Misleading Ad Design policy, which allows ads to use subdomains under paypal.com. These malicious ads lead to fraudulent payment pages, generated via PayPal’s no-code checkout system, that mimic legitimate PayPal payment forms but include customized fields prompting users to call spoofed customer support numbers.
The attack is particularly effective on mobile devices, where screen size constraints prevent users from easily verifying URLs.
In fact, 78% of the victims identified in a 2025 Malwarebytes analysis were mobile users. These fraudulent pages, while hosted on PayPal’s infrastructure, appear legitimate due to the use of PayPal’s domain and TLS certificates. The malicious pages are designed to evade traditional phishing detection mechanisms by leveraging a legitimate platform feature—PayPal’s no-code checkout tool—to create fraudulent payment pages without needing any code.
Researchers point out that this attack highlights vulnerabilities in Google and PayPal’s platforms, particularly in their ad and payment systems. Google’s ad policy loopholes and PayPal’s lack of algorithmic checks in the no-code checkout tool allowed the attackers to bypass security measures. Although Google introduced AI-powered landing page quality models in 2025, these still failed to flag the fraudulent pages due to their hybrid structure, which complied with the Site Reputation Abuse policy. Meanwhile, PayPal lacked safeguards for fraudulent inputs in payment form text fields, allowing attackers to easily insert deceptive customer support contact information.
In response, PayPal temporarily disabled custom text fields in no-code checkout pages and introduced real-time language processing to detect fraudulent support numbers.
Google has also accelerated its efforts to improve ad policy enforcement using adversarial machine learning techniques. Experts advise organizations that accept PayPal payments to monitor transactions closely for unusual payloads and implement additional user verification methods. End users should avoid calling support numbers embedded in payment forms and rely on official PayPal portals to avoid falling victim to such scams.
