Train e-mail weirdness: Suspicion grows over evident Trickbot trojan delivery campaign

Updated Subway patrons in the UK received suspicious emails today and infosec scientists fear this is linked to the theft of customer information– and a Trickbot malware project.

” I have actually simply had an e-mail claiming to be from Train (the sandwich individuals) and sent to an address utilized only for Train,” Reg reader Alan told us. He wasn’t alone; it appears that something bad has actually occurred to Subway involving its email marketing systems

A wave of tweets began striking Train UK’s account today as people questioned why the takeaway sandwich chain, well-known for its not-quite-footlong baguettes, had started emailing them out of the blue.

@SubwayUK is this a genuine email from you? If so, I have not put any orders just recently so someone might have gotten deceitful access to my account pic.twitter.com/g6bckCBC35

— Saz/Sarah (@SazRhiD) December 11, 2020

@SubwayUK have you had an information breach or something? Simply gotten an email from ‘subcard@UK-IE.subwaysubcard.eu’ addressing my name and says I’ve placed an order. There’s a typo in the e-mail on the word ‘another’ (misspelt as ‘anather’) and has dodgy looking links in it??

— Win San Pang (@WinSanPang) December 11, 2020

Security scientist Oliver Hough, noted purveyor of advanced infosec tweets, had a look at the evident phishing project. In e-mails he had actually seen, links took users to a booby-trapped XLS spreadsheet– with others cracking in to state that it looked very much like those were leading unsuspecting users straight to a Trickbot infection.

Looks like #TrickBot



XLS: https://t.co/ZkiNmNkiy5



⏬ https://t.co/lGRIXIdcNK



DLL https://t.co/gmVxD80 Ooo



C2/45212: 443/ rob20//186222: 443/ rob20/.



Full run: https://t.co/C1R9g8fDjR

— TheAnalyst (@ffforward) December 11, 2020

As the National Cyber Security Centre puts it: “Trickbot targets victims with well-crafted phishing emails, designed to appear as though sent from relied on industrial or federal government brands.

Source code of among the suspicious e-mails published to Github by PHP dev Richard Bairwell exposed the full message headers, which appear to point to email firm Project Screen as the source of the message.

Bairwell informed The Register he got the 2 suspicious e-mails at his link above today, including: “Both emails– like all emails from Subway from at least May last year– have come by means of CampaignMonitor/cmail. com.”

It appears that harmful individuals may have gained access to Subway’s e-mail campaign systems, because of today’s email seemingly having been sent out through genuine paths previously utilized for authentic marketing messages.

Yesterday the fast food biz altered its customer loyalty app, changing from its old Subcard app to one simply named Train.

We have asked Train for discuss both the apparent breach and the phishing campaign and will upgrade this article if we hear back from the independently held United States chain. ®

Updated to include

Subway sent us the following declaration: “We are conscious of some interruption to our e-mail systems and understand some of our guests have received an unauthorised e-mail.