Hackers compromise Subway UK's marketing system to deliver TrickBot malware

No evidence of guest accounts having compromised by hackers but sandwich firm advises anyone who may have downloaded malware to perform a thorough scan of their machine

The takeaway sandwich chain Subway UK acknowledged on Sunday that hackers have compromised one of its servers and used the system to send out phishing emails to customers over the weekend.

The company told the Bleeping Computer that this particular server was responsible for the firm ' s email marketing campaigns, but that no banking or credit card details were stored on it.

The initial investigation revealed no evidence of guest accounts been compromised by hackers, according to the company, although the attack led to "a phishing campaign that involved first name and email".

After the breach was identified, the sandwich chain initiated its crisis protocol and shut down the affected systems.

"The safety of our guests and their personal data is our overriding priority, and we apologise for any inconvenience this may have caused," it added.

The security breach was first reported by Bleeping Computer on Saturday, stating that a large number of Subway customers were getting phishing emails from chain's Subcard loyalty scheme about the processing of an alleged Subway order.

These emails used email subjects such as "Your order is being processed" and "We've received your order," and told users that the message had come from Subcard.

According to Bleeping Computer, the primary aim of this phishing campaign is to distribute the TrickBot malware.

The emails encouraged users to click on document links, which led them to hacked websites and downloaded a malicious Excel spreadsheet. The spreadsheet asked users to enable additional features on the document. If allowed, the malicious macros then installed the latest version of the TrickBot malware on the system.

TrickBot is a descendant of the Dyre malware. It was first noticed in 2016 when researchers observed it to be functioning as a banking Trojan that attempted to steal sensitive information from target organisations.

Over the past few years, TrickBot operators have shifted their attention to enterprise environments in efforts to generate maximum revenue from their activities.

The modular nature of TrickBot means it can be easily modified to perform various types of malicious activities, including stealing saved passwords in browsers, stealing cookies and OpenSSH keys, stealing Active Directory Services databases, and more. This is the main reason behind TrickBot becoming one of the most sophisticated and capable malware delivery mechanisms in the world.

Subway UK is now sending emails to all affected customers, stating that their first and last names were exposed as part of the attack.

People who received such emails and accidentally downloaded malicious document on the system are advised to perform a thorough scan of their system using antivirus software and remove any malicious programme found on the system.