Subway sandwich scam mystifies loyalty card users

Subway customers in the UK and Ireland were swamped with scam emails yesterday in a phishing campaign that aimed to trick recipients into downloading malware.

We received a sample that looked like this (note spelling mistake anather):


Thanks for shopping with us! You'll find a summary of your recent purchase below.

You will receive anather email when your order has shipped.

Review details:

[clickable links]

A reader reported receiving a message with different text:

Subject: XXXX,Your order is being processed

Great news!


Your order documents are ready and awaiting confirmation. 

See also Order Insurance Documents.

As phishes go, this one isn’t terribly sophisticated or believable, and the scam itself requires several clicks, each one more suspicious than the last.

Clicking the link in the email takes you to a web page like this:

The file you download is a password-protected XLS spreadsheet file that contains macros – embedded software code that is sufficiently risky that Office itself won’t run macros by default.

As a result, the crooks have to trick you into turning macro execution on, usually by including instructions in the body of the file pretending that the macros are there for security reasons.

In this case, the crooks pretend that their file is “protected” by well-known digital contract company DocuSign, stealing the DocuSign brand to try to persuade you to change your Excel security settings:

The crooks are hoping you will think that turning macros on will somehow increase security, when in fact you are enabling a feature that makes it possible for the criminals to download and install malware.

The offending macro code in the XLS file includes a script that look like this:

The code above creates a URL by reading three cells from a hidden sheet called “Files”, and then uses that URL to fetch malware of the crooks’ choice.

Even if you unhide the “Files” worksheet, the cells B60, B61 and so on are not immediately obvious because the content of each cell is set to white text on a white background.

Sophos products detect the downloaded spreadsheet as Troj/DocDl-AQBX. The name DocDl denotes a document that acts as a downloader. Sophos products detect the file that was fetched during our tests as Troj/Agent-BGCR. The name Agent denotes some form of zombie malware or bot, used by criminals to issue yet more commands on your computer in due course.

What happened?

The burning question, unanswered at 2020-12-12T03:00Z when this article was published [see update below] – is how the criminals acquired the list of first names and email addresses that were blasted with messages in this scamming campaign.

Some Twitter users are claiming that the email accounts involved were only ever used to sign up for messages from Subway, as though the list must have come from Subway or one of its partners.

Others are wondering how the crooks knew their first names given that their email addresses didn’t reveal their real names.

Interestingly, the email samples we analysed were sent by servers belonging to a bona fide company that offers newsletter marketing services that anyone with a credit card can sign up for online.

However, according to a report on IT news site The Register, that marketing company just happens to be the same one that Subway has been using for at least 18 months.

As a result of this uncertainty, many Twitter users have asked Subway if the scamming campaign was down to some sort of breach: perhaps, they wondered, criminals had somehow got access to Subway’s newsletter service in order to click [Send] on an unauthorised email campaign.

Subway didn’t help the confusion by repeatedly autotweeting an inconclusive reply, saying:

Thanks for bringing this to our attention, we're aware of some disrpution to our systems and understand you may have received an unauthorised emaiL. We apologise for any inconvenience, as a precautionary measure, please delete the email.

The bad news is that we can’t yet tell you where the email list used in this scam came from, or whether all the recipients were Subway customers.

We also don’t know how or why the crooks ended up using the same newsletter service that Subway is said to use.

Nevertheless, the advice given in Subway’s autotweet messages is perfectly sound, and is your first and easiest defence: delete the email.

Update. A commenter on our Facebook page reported that he received an email from Subway saying, “Having investigated the matter we have no evidence that guest accounts have been hacked. The system which manages email campaigns has been accessed, leading to a phishing campaign that involved first name and email. The system does not hold any bank or credit card details.” This, of course, doesn’t clarify where the email address list came from in the first place. A reader commenting below says that he received the scam to an old address, dormant for several years, that is no longer associated with his Subway account. And a third reader sent us a screenshot of a message he received from Subway in 2015 requiring him to do a password reset, though without giving any reason other than that it was “part of [a] security upgrade“. So, at least some of the mystery remains. [2020-12-12T08:50Z]

What to do?

Some tips to remember:

  • If in doubt, leave it out. The click-through sequence in this scam is confusing and is absurdly complex for a food order. (We’ve never heard of digital contracts being exchanged just to buy a sandwich!) Don’t be tempted to follow the trail “just in case”.
  • Never change your security configuration on the say-so of a document you just received. If a crook sent you an email telling you to change your password to “password”, you wouldn’t dream of doing so. Take the same approach to demands to change security settings.
  • Consider using an anti-virus with web filtering as well as malware blocking. Document downloaders like the one used here allow the crooks to keep changing the malware they’re sending to victims. But if you block the outwards connection in the first place, it doesn’t matter what would have been at the other end because the downloader fails right away.


Originally streamed live on Facebook.

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.