Subway Hacked, Customers receive TrickBot malware in their Inbox

The United Kingdom branch of Subway, the fast-food sandwich giant, disclosed that its advertising system has been hacked. The malicious actor was sending TrickBot malware-laden phishing emails to the shoppers by utilizing its advertising system. 


TrickBot is a nasty malware infection that allows attackers to steal saved browser passwords, spread throughout a network, steal browser cookies, steal RDP, VNC, and PuTTY Credentials, and much more. Even worse, TrickBot may eventually provide access to the Ryuk or Conti ransomware operations.


What happened?

Subway’s customers in the UK began to receive emails from ‘Subcard’ about a Subway order that they had supposedly placed. The email included links to documents which claimed to contain the order confirmation details.

Once the emails had been analyzed it was discovered that they were in fact distributing Excel documents that contained TrickBot malware that would be installed into a device once opened.


These phishing emails contained a customer's name and were using email addresses that some users created specifically for Subway.


How it happened?

Subway made it public that the server they use for running their marketing functions had been hacked. Upon hacking the threat-actor made the server to send out unauthorized phishing emails containing link to malicious code and malware.


It has been confirmed upon investigation by Subway that no guest accounts have been hacked. The hack was only limited to the server responsible for sending emails and running marketing campaigns. The hack led to compromising the names and emails of many customers of Subway. According to the reports from the company the server did not contain any bank or credit card credentials.


Acting on the hack Subway initiated lockdown on the compromised servers. They also sent out an email to their customers who were affected informing that their names and emails have been compromised in the attack on the server.




  • Experts recommend infected users to check for the current version of TrickBot by opening Task Manager and looking for a process named 'Windows Problem Reporting.' If that process is found, users should click on the End Task button, to terminate it
  • Users are advice to perform a thorough scan on their computer using antivirus software and clean anything that is found.
  • Avoid the mails coming from unauthorized sources. Do not open unnecessarily.
  • Make sure your system application is running on updated version.