The insidious aspect is that the attack involves the use of a fake PayPal payment window, but perfectly superimposed on a legitimate page, in order to deceive users. The technique, known as Clickjacking, has already been demonstrated and the bug reported to PayPal's bug fixing program several months ago, but it appears that the flaw has not yet been fixed.
Furthermore, it seems that the same vulnerability can be exploited for subscribing to services that allow payments via PayPal. The researcher has posted a video on YouTube showing a Proof of Concept of the exploit, which can be viewed above. As we said, at the moment PayPal has not yet intervened in this regard and the bug report is not rewarded as expected by the company's bug hunt program.