Subway UK Customers Targeted By Trickbot Hackers

Matthew Broersma,
HSBC, security, hacking

Trickbot malware campaign uses names harvested from Subway loyalty card programme as sandwich chain acknowledges email systems ‘disruption’

Subway customers in the UK are being targeted by scammers a part of a phishing scheme, users have said on social media.

The scam emails include users’ names, indicating that hackers may have gained access to Subway customer data.

In some cases, users said the email had been sent to an address they had only used for Subway’s Subcard loyalty programme.

Subway has not disclosed how the malicious third parties gained access to the data.

security, hacking, subway‘Disruption’

But it acknowledged “disruption” to its email systems.

“We are aware of some disruption to our email systems and understand some of our guests have received an unauthorised email,” the company said in a statement.

It apologised for the inconvenience and advised users to delete the email.

The scam was earlier reported by Bleeping Computer, which said the email links to documents that contain the Trickbot credential-stealing malware.

Besides stealing login details saved in browsers, Active Directory Services databases, cookies and OpenSSH keys, amongst other credentials, Trickbot also attempts to automatically install itself on other systems on the same network.

Trickbot’s creators have also been known to deploy ransomware on compromised systems from third parties such as Ryuk.

‘Insurance documents’

The emails themselves do not contain malware, but link to scam websites that provide links to malicious documents posing as a “statement” or as “insurance documents”.

When downloaded, the document tells users to “Enable Editing” and “Enable Content” in order to view the contents of the document.

These steps activate malicious macros that download and install Trickbot on Windows systems.

Trickbot installs itself within the legitimate Windows Problem Reporting process in order to conceal itself, but can be detected and removed by antivirus scanners.

Trickbot

In October, Microsoft said it worked with US authorities to disrupt Trickbot’s back-end infrastructure, but acknowledged the malware is constantly evolving.

Microsoft said at the time that Trickbot had used topical events such as the Covid-19 pandemic as lures in its widespread phishing campaigns.

The malware’s operators have infected more than one million systems since 2016, including devices such as routers, and typically sell access to compromised systems to third parties.

The malware has been known to target the financial services industry, amongst others.