It looks like a real PayPal feature they're abusing by inserting their phishing message into a generic message field. They're aiming to get you to call that number<p>No compromised cert needed
Hrm, They didn't respond to their akamai being hackable in a satisfactorily way. Researchers made a new page and inserted it into their paypal.com <a href="https://twit.tv/shows/security-now/episodes/891?autostart=false" rel="nofollow">https://twit.tv/shows/security-now/episodes/891?autostart=fa...</a>
cert? that's an email. It's quite easy to change the mail from to be anything you want. Have a look on the dmarc fields if you want to be sure. Although I'm pretty sure that paypal always address the customer with their actual name...