It appears that the Subway (UK) – as in the fastfood franchise – suffered a breach to some of their systems resulting in criminals at the very least gaining access to customers name and email data. While Subway have yet to acknowledge a breach, they did go on record as saying:
We are aware of some disruption to our email systems and understand some of our guests have received an unauthorised email. We are currently investigating the matter and apologise for any inconvenience. As soon as we have more information, we will be in touch, until then, as a precautionary measure, we advise guests delete the email.Subway UK
Additionally, Robert Bairwell posted the message headers from one of the emails on GitHub and confirmed that the sending servers appear to be the usual servers for legitimate Subway UK communications, appearing to add more weight to the breach argument.
This morning (11th December 2020), a number of users started sending tweets to the chains account asking about suspicious looking order confirmation emails being sent to them that contained typos and unusual links.
Multiple security researchers looked at this with Oliver Hough being one of the first to call out that the destination of the links – which led users to Excel spreadsheet files – looked like they were setup to launch a TrickBot infection on the users machines.
What is Trickbot?
The National Cyber Crime Centre summaries TrickBot nicely, saying: “an established banking trojan used in cyber attacks against businesses and individuals in the UK and overseas. Trickbot attacks are designed to access online accounts, including bank accounts, in order to obtain personally identifiable information”