Some Subway customers in the UK were exposed to a phishing email attack, it has been revealed. Malware called TrickBot was found in dangerous links included in emails sent to Subcard loyalty card holders, which customers were encouraged to click.
The emails, which were reported by computer security site, Bleeping Computer, used subject lines like “Your order is being processed” and “We’ve received your order.” The address the malicious messages were sent from was [email protected]
The scam emails direct the recipients to click on links, which say, “Your order documents are ready and awaiting confirmation. See also Order Insurance Documents.”
Bleeping Computer explains that “these links lead to various hacked websites that will bring you to a ‘FreshBooks’ phishing page when clicked on.”
What is TrickBot?
“When installed, TrickBot performs a variety of malicious behaviour, including spreading through a network, stealing saved credentials in browser, steaking Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY Credentials, and much more,” explained Bleeping Computer.
“Even worse, TrickBot partners with ransomware operators, such as Ryuk, to access a compromised network to deploy ransomware.”
What has Subway said?
On Twitter, the official Subway account replied to a tweet from a customer regarding the email.
The customer said, “@SUBWAY @SubwayUK Got an email from your Subcard address regarding an order and insurance docs to download? You might want to look into this as it's evident other people have had it as well?”
Subway replied, writing, “Thanks for bringing this to our attention, we are aware of some disruption to our email systems and understand some of our guests have received an unauthorised email.
“We apologise for any inconvenience, as a precautionary measure, please delete the email.”
Later, the company issued a statement about the issue, saying, “Having investigated the matter, we have no evidence that guest accounts have been hacked.
“However, the system which manages our email campaigns have been compromised, leading to a phishing campaign that involved first name and email.
“The system does not hold any bank or credit card details. Crisis protocol was initiated and compromised systems locked down.
“The safety of our guests and their personal data is our overriding priority and we apologise for any inconvenience this may have caused.”