Subway customers receive 'malware' emails

  • Published
The Subway sandwich chain logo is seen bolted to a brick wall in this close-up shotImage source, Getty Images

Subway customers in the UK are receiving scam emails as part of a phishing attack.

Users took to social media to complain about the emails, which claim to be an order confirmation from the fast-food chain and contain links to malware.

The emails also use the victims' names, and appear to come from the chain's Subcard loyalty scheme.

Subway has not said whether its databases have been compromised or what the source of the scam is.

But the firm has acknowledged that there is a problem.

A spokesperson for the company said: "We are aware of some disruption to our email systems and understand some of our guests have received an unauthorised email."

It apologised for any inconvenience and advised people to delete the email.

Sandwich insurance

The problem was earlier reported by computer security news site Bleeping Computer, which said it had found a form of malware called TrickBot in the malicious links the email encourages users to click.

Trickbot is designed to steal personal information from infected computers, and can also install other viruses and ransomware.

The email links to fake documents that supposedly need to be confirmed - including insurance documents for the sandwich, suggesting that the attack had been repurposed from an existing scam.

Bleeping Computer reports that these documents include an Excel spreadsheet download, which asks users to enable additional features that install the virus.

It is not clear how the attacker accessed the details of customers.

Online, some recipients claimed that the attack email appeared to come from the address that the company usually uses.

Update 12 December:

Subway has issued a fresh statement: "Having investigated the matter, we have no evidence that guest accounts have been hacked. However, the system which manages our email campaigns has been compromised, leading to a phishing campaign that involved first name and email. The system does not hold any bank or credit card details. Crisis protocol was initiated and compromised systems locked down. The safety of our guests and their personal data is our overriding priority and we apologise for any inconvenience this may have caused."