Subway UK Customers Targeted By Trickbot Hackers

Subway customers in the UK are being targeted by scammers a part of a phishing scheme, users have said on social media.

The scam emails include users’ names, indicating that hackers may have gained access to Subway customer data.

In some cases, users said the email had been sent to an address they had only used for Subway’s Subcard loyalty programme.

Subway has not disclosed how the malicious third parties gained access to the data.

‘Disruption’

But it acknowledged “disruption” to its email systems.

“We are aware of some disruption to our email systems and understand some of our guests have received an unauthorised email,” the company said in a statement.

It apologised for the inconvenience and advised users to delete the email.

The scam was earlier reported by Bleeping Computer, which said the email links to documents that contain the Trickbot credential-stealing malware.

Besides stealing login details saved in browsers, Active Directory Services databases, cookies and OpenSSH keys, amongst other credentials, Trickbot also attempts to automatically install itself on other systems on the same network.

Trickbot’s creators have also been known to deploy ransomware on compromised systems from third parties such as Ryuk.

‘Insurance documents’

The emails themselves do not contain malware, but link to scam websites that provide links to malicious documents posing as a “statement” or as “insurance documents”.

When downloaded, the document tells users to “Enable Editing” and “Enable Content” in order to view the contents of the document.

These steps activate malicious macros that download and install Trickbot on Windows systems.

Trickbot installs itself within the legitimate Windows Problem Reporting process in order to conceal itself, but can be detected and removed by antivirus scanners.

Trickbot

In October, Microsoft said it worked with US authorities to disrupt Trickbot’s back-end infrastructure, but acknowledged the malware is constantly evolving.

Microsoft said at the time that Trickbot had used topical events such as the Covid-19 pandemic as lures in its widespread phishing campaigns.

The malware’s operators have infected more than one million systems since 2016, including devices such as routers, and typically sell access to compromised systems to third parties.

The malware has been known to target the financial services industry, amongst others.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago