Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam

Subway loyalty program members in U.K. and Ireland have been sent scam emails to trick them into downloading malware.

Count the Subway sandwich faithful among the latest victims of cybercriminals. Researchers at Sophos discovered a phishing campaign aimed at Subway loyalty-card members in the U.K. and Ireland, in an attempt to trick them into downloading malware.

The campaign wasn’t particularly impressive, according to Sophos researchers.

Threatpost Webinar Promo Bug Bounty

Click to register.

“As phishes go, this one isn’t terribly sophisticated or believable, and the scam itself requires several clicks, each one more suspicious than the last,” the report said.

Subway Scam

Sophos published a couple of different versions of the emails, but the message was the same: you have an order on the way, and “click here” if you would like to know more details.

One email supplied to Sophos appeared to have been sent from a “subwaysubcard” domain. It was personalized with the recipient’s first name. A second email with the same text was delivered to another loyalty cardholder and supplied to Sophos with the same message.

“Thanks for shopping with us!” the scam email read. “You’ll find a summary of your most recent purchase below.”

Both messages also shared an identical misspelling: “anather” in stead of “another.”

A third communication told recipients to click on a link to view “order documents.” That link leads to a scam “FreshBooks” page and then a fake DocuSign page, Sophos reported.

The goal of the phishing campaign is to get victims to change their Excel security settings, allowing the malicious actors to run macros and deliver malware to the victim’s device, Sophos explained. The code creates a URL from a hidden “Files” sheet. The URL then grabs the malware.

“The crooks are hoping you will think that turning macros on will somehow increase security, when in fact you are enabling a feature that makes it possible for the criminals to download and install malware.”

Subway spokesperson Shani Shaker Kekati told Threatpost that the company has “no evidence guest accounts have been hacked,” adding,however, the system which manages our email campaigns has been compromised, leading to a phishing campaign that involved first name and email. The system does not hold any bank or credit-card details. Crisis protocol was initiated and compromised systems locked down.”

But according to Paul Ducklin, principal research scientist at Sophos, an email address and first name is plenty for criminals to target unsuspecting customers.

“The bad news about this scam is that even if all a cybercriminal knows about you is a first name, an email address and a brand they know you buy from, they can still make plenty of trouble for you,” Ducklin told Threatpost. “Even just saying ‘Dear Paul’ instead of ‘Dear customer’ makes the opening gambit so much more plausible and softens you up for what follows.”

Loyalty Cards a Target

While there’s not much clarity around how the crooks got the Subway loyalty-card list, Allan Liska, intelligence analyst for Recorded Future, told Threatpost in a recent webinar that loyalty-card lists are increasingly easy to find on the dark web.

Turns out that there’s some value in those; so, if you are a brand that has loyalty cards, monitor for large dumps of your loyalty cards,” Liska said. He explained airline miles and points programs of all sorts can easily be turned into goods, services and even cash.

Criminals have also deployed AI and automation against rewards and loyalty programs, according to Robert Capps, NuData’s vice president of marketplace innovation.

“We had a client that had the ability for you to take your receipt home and sign up for loyalty program, and have that receipt applied to your account, based on random digits at the bottom of the receipt,” Capps told Threatpost. “And those random digits weren’t random.”

He added that automation helped the criminals crack the code and rack up rewards.

“Someone figured out the patterns and started running tens of thousands of these receipt combinations through an automated checker, to add the residual value that was unclaimed on those transactions to a given set of rewards accounts,” Capps said.  “And they were buying product, and fulfilling on eBay, Amazon and other online-order systems.”

Luckily for Subway loyalty-card holders, this latest attack phishing attack against Subway wasn’t nearly as difficult to identify.

“The good news is that every step of this particular scam had a telltale sign that someone was up to no good,” Ducklin said. “And that is a great reminder of a very useful general rule: *always* take those extra few seconds to check for things that don’t add up, and make the crooks pay for any operational blunders they make. And if you want to ask for advice, never rely on any contact information in the message itself. Find your own way to ask for help, using contact details you already know.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Allie Mellen, a security strategist in the Office of the CSO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles