Customers and holders of ‘Subway’ loyalty cards are reporting the reception of weird emails claiming to be about an order they didn’t place. The fast-food restaurant franchise confirmed that these emails aren’t real/valid, but they are the product of a disruption to their systems, so someone is sending these emails through them. It sounds like a pretty nasty security breach, although the firm has decided not to present it as such.
Following a preliminary investigation, Subway figured that a hacker compromised their email management system and launched an extensive phishing campaign. The sandwich company assures customers that no accounts have been compromised or taken over, and the actors only got to see people’s email addresses and first names. The system isn’t holding any payment details, so these haven’t been compromised either.
The message itself may come from a valid address, but it has a typo, so there’s a clear sign of fraud in the body. It is as if crooks are obliged to include a typo in scam emails every time as if they have to comply with an unwritten rule of some sort. The truth is that they often write these messages in a hurry as they have a finite amount of time to exploit their hack before the victimized company discovers it and stops them.
The phishing page where the people who may click on the links are taken isn’t very well made, so this part of the campaign isn’t going very far. The more dangerous aspect is the XLS spreadsheet file that can be downloaded from there, which activates malicious macro code to fetch the Trickbot banking trojan. Yes, that same botnet that Microsoft has been trying to destroy for months now, and whose operators just won’t let die.
Subway officially advised customers who received these emails to simply delete them, which is a solid piece of advice but doesn’t retract the associated risks. In this case, registering on Subway’s online platform has created an attack surface and introduced a phishing possibility. There’s nothing more secure than visiting a Subway location and ordering the sandwich there.
If you have to order online, use a “secondary” email address that doesn’t resemble your real name and prefer to pay with a method that doesn’t involve your credit or debit card. Additionally, do not “enable content” on your office suite, do not click on links that arrive inside unsolicited emails, and always keep an AV with internet protection updated and active in your system.