Subway UK has admitted that a hacked server has been sending customers phishing (opens in new tab) emails. The spam messages supposedly contained information about a Subway order that had been placed by the customer, accompanied by a malicious Excel attachment.
"Having investigated the matter, we have no evidence that guest accounts have been hacked,” a Subway spokesperson told BleepingComputer (opens in new tab). “However, the system which manages our email campaigns has been compromised, leading to a phishing campaign that involved first name and email. The system does not hold any bank or credit card details."
Subway went on to reveal that all compromised systems were promptly isolated and sensitive customer data was not accessed. The fast-food company has also sent emails to all the affected customers, informing them that their first and last names were exposed during the phishing attack.
- Keep your devices virus-free with the best malware removal (opens in new tab) software
- And here's our round of the best ransomware protection (opens in new tab) tools
- We've also put together a list of the best antivirus (opens in new tab) software available
A spam sandwich
It is not currently clear how many Subway customers have been affected but fortunately, there are a few simple steps that victims can take to safeguard their devices. If they did open the malicious Excel document contained within the Subway phishing email, they should first look for a process named 'Windows Problem Reporting' in the Task Manager and terminate it. Then, they should run antivirus software to make sure any malicious programs are removed.
Although phishing campaigns have been commonly employed (opens in new tab) throughout 2020, the emails used by attackers do not usually come from legitimate company email accounts. This gave the Subway scam an added air of authenticity.
Usually, attackers simply mimic the look and branding of well-known companies when sending phishing emails. Amazon (opens in new tab), Adobe (opens in new tab), and a host of other organizations have all seen their names leveraged as part of successful phishing campaigns.
- We've highlighted the best email services (opens in new tab) on the market
Via BleepingComputer (opens in new tab)