Subway UK Customers Targeted By Trickbot Hackers

Subway customers in the UK are being targeted by scammers a part of a phishing scheme, users have said on social media.

The scam emails include users’ names, indicating that hackers may have gained access to Subway customer data.

In some cases, users said the email had been sent to an address they had only used for Subway’s Subcard loyalty programme.

Subway has not disclosed how the malicious third parties gained access to the data.


But it acknowledged “disruption” to its email systems.

“We are aware of some disruption to our email systems and understand some of our guests have received an unauthorised email,” the company said in a statement.

It apologised for the inconvenience and advised users to delete the email.

The scam was earlier reported by Bleeping Computer, which said the email links to documents that contain the Trickbot credential-stealing malware.

Besides stealing login details saved in browsers, Active Directory Services databases, cookies and OpenSSH keys, amongst other credentials, Trickbot also attempts to automatically install itself on other systems on the same network.

Trickbot’s creators have also been known to deploy ransomware on compromised systems from third parties such as Ryuk.

‘Insurance documents’

The emails themselves do not contain malware, but link to scam websites that provide links to malicious documents posing as a “statement” or as “insurance documents”.

When downloaded, the document tells users to “Enable Editing” and “Enable Content” in order to view the contents of the document.

These steps activate malicious macros that download and install Trickbot on Windows systems.

Trickbot installs itself within the legitimate Windows Problem Reporting process in order to conceal itself, but can be detected and removed by antivirus scanners.


In October, Microsoft said it worked with US authorities to disrupt Trickbot’s back-end infrastructure, but acknowledged the malware is constantly evolving.

Microsoft said at the time that Trickbot had used topical events such as the Covid-19 pandemic as lures in its widespread phishing campaigns.

The malware’s operators have infected more than one million systems since 2016, including devices such as routers, and typically sell access to compromised systems to third parties.

The malware has been known to target the financial services industry, amongst others.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

BT Eagle-i Seeks To Predict, Prevent Cyberattacks

Proactive security approach. New security platform from BT Security, dubbed 'Eagle-i', seeks to predict and…

2 days ago

Apple Risks South Korean Clash After Investigation Warning

South Korean government official warns of possible investigation into Apple's compliance with new App Store…

2 days ago

Moscow Metro Facial Recognition System For Speedy Payments

Privacy concern. Moscow's Metro system has launched 'Face Pay', a mass facial recognition system for…

2 days ago

US Army Delays $22 Billion Microsoft Augmented Reality Headsets

United States Army pushes back deployment date of Microsoft's augmented reality headsets, but insists it…

3 days ago

TSMC Confirms Chip Plant For Japan

Taiwanese chip giant TSMC confirms it will build a chip factory in Japan, that will…

3 days ago

GitLab Raises $800m In Successful Initial Public Offering

After a successful public debut that raised hundreds of millions of dollars, coding platform GitLab…

3 days ago