Subway customers in the UK and Ireland were swamped with scam emails yesterday in a phishing campaign that aimed to trick recipients into downloading malware.

We received a sample that looked like this (note spelling mistake anather):

Subject: YYYY, WE'VE_RECEIVED_YOUR_ORDER! Thanks for shopping with us! You'll find a summary of your recent purchase below. You will receive anather email when your order has shipped. Review details: [clickable links]

A reader reported receiving a message with different text:

Subject: XXXX,Your order is being processed Great news! XXXX, Your order documents are ready and awaiting confirmation. See also Order Insurance Documents.

As phishes go, this one isn’t terribly sophisticated or believable, and the scam itself requires several clicks, each one more suspicious than the last.

Clicking the link in the email takes you to a web page like this:

The file you download is an XLS apreasheet file that contains macros – embedded software code that is sufficiently risky that Office itself won’t run macros by default.

As a result, the crooks have to trick you into turning macro execution on, usually by including instructions in the body of the file (which does load up by default) pretending that the macros are there for security reasons.

In this case, the crooks pretend that their file is “protected” by well-known digital contract company DocuSign, stealing the DocuSign brand to try to persaude you to change your Excel security settings:

The crooks are hoping you will think that turning macros on will somehow increase security, when in fact you are enabling a feature that makes it possible for the criminals to download and install malware.

The offending macro code in the XLS file includes a script that look like this:

The code above creates a URL by reading three cells from a hidden sheet called “Files”, and then uses that it to fetch malware of the crooks’ choice.

Even if you unhide the “Files” worksheet, the cells B60, B61 and so on are not immediately obvious because the content of in each cell is set to white text on a white background.

Sophos products detect the downloaded spreadsheet as Troj/DocDl-AQBX. The name DocDl denotes a document that acts as a downloader. Sophos products detect the file that was fetched during our tests as Troj/Agent-BGCR. The name Agent denotes some form of zombie malware or bot, used by criminals to issue yet more commands on your computer in due course.

What happened?

The burning question – unanswered as at 2020-12-12T13:30Z – is where the criminals acquired the list of names and email addresses that were blasted with messages in this scamming campaign.

Some Twitter users are claiming that the email accounts involved were only ever used to sign up for messages from Subway, as though the list must have come from Subway or one of its partners.

Others are wondering how the crooks knew their first names given that their email addresses didn’t reveal their real names.

Interestingly, the email samples we analysed were sent by servers belonging to a bona fide conmpany that offers newsletter marketing services that anyone can sign up for online with a credit card.

But, according to a report on IT news site The Register, that marketing conmpany just happens to be the same one that Subway has been using for more than a year.

As a result of this uncertainty, many Twitter users have asked Subway if the scamming campaign was down to some sort of breach: perhaps, they wondered, criminals had somehow got access to Subway’s newsletter service in order to click [Send] on an unauthorised email campaign.

Subway didn’t help the confusion by repeatedly autotweeting a reply to concerned users saying:

Thanks for bringing this to our attnetion, we're aware of some disrpution to our systems and understand you may have received an unauthorised emaiL. We apologise for any inconvenience, as a precautionary measure , please delete the email.

The bad news is that we can’t yet tell you where the email list used in this scam came from, or whether all the recipients were Subway customers.

We also don’t know how or why the crooks ended up using the same newsletter service that Subway is said to use.

Nevertheless, the advice given in Subway’s autotweet messages is perfectly sound, and is your first and easiest defence: delete the email.

What to do?

Some further tips to remember:

  • If in doubt, leave it out. The click-through sequence in this scam is confusing and is absurdly complex for a food order. (We’ve never heard of digital contracts being exchanged just to buy a sandwich!)
  • Never change your security configuration on the say-so of a document you just received. If a crook sent you an email telling you to change your password to “password”, you wouldn’t dream of doing it, so take the same approach to demands to change security settings.
  • Consider using an anti-virus with web filtering as well as malware blocking. Document downloaders like the one used here allow the crooks to keep changing the malware they’re sending out. But if you block the outwards connection in the first place, it doesn’t matter what would have been at the other end because the downloader fails right away.


Originally streamed live on Facebook.

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.