www.bleepingcomputer.com
Open in
urlscan Pro
104.20.60.209
Public Scan
URL:
https://www.bleepingcomputer.com/news/security/massive-subway-uk-phishing-attack-is-pushing-trickbot-malware/
Submission: On December 13 via api from US
Submission: On December 13 via api from US
Form analysis 6 forms found in the DOM
https://www.bleepingcomputer.com/search/
<form title="Search site" action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" name="EMAIL" aria-label="Enter email address" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" aria-label="Enter email address" name="EMAIL" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&do=process&return=https://www.bleepingcomputer.com/news/security/massive-subway-uk-phishing-attack-is-pushing-trickbot-malware/
<form action="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/massive-subway-uk-phishing-attack-is-pushing-trickbot-malware/"
method="post">
<div class="bc_form_feild">
<label for="ips_username">Username</label>
<input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" autocomplete="username">
</div>
<div class="bc_form_feild">
<label for="ips_password">Password</label>
<input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" autocomplete="current-password">
</div>
<div class="bc_form_feild">
<div class="bc_remember">
<input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
<label for="remember">Remember Me</label>
</div>
<div class="bc_anon">
<input id="anonymous" type="checkbox" name="anonymous" value="1">
<label for="anonymous">Sign in anonymously</label>
</div>
</div>
<div class="bc_btn_wrap">
<input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
<input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
<a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&serviceClick=twitter&return=https://www.bleepingcomputer.com/news/security/massive-subway-uk-phishing-attack-is-pushing-trickbot-malware/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter"> Sign in with Twitter</a>
<hr>
<p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register">Register Now</a></p>
</div>
</form><form>
<input type="hidden" id="comment-id-report" value="0">
<ul>
<li>
<label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Other">Other</label>
</li>
<li id="comment-report-other-reason-wrap" style="display:none;">
<textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
</li>
</ul>
<p><a href="https://www.bleepingcomputer.com/posting-guidelines/">Learn more</a> about what is not allowed to be posted.</p>
</form>Text Content
*
*
*
*
*
*
* News
* Featured
* Latest
* Windows 10X is arriving next year: What we know so far
* Subway marketing system hacked to send TrickBot malware emails
* Adobe releases final Flash Player update, warns of 2021 kill switch
* Windows Kerberos Bronze Bit attack gets public exploit, patch now
* Google Chrome's high-resource ad blocking spotted in the wild
* Intel's Habana Labs hacked by Pay2Key ransomware, data stolen
* Hands on with Windows 10's built-in Pktmon network monitor
* Windows 10X is arriving next year: What we know so far
* Downloads
* Latest
* Most Downloaded
* Qualys BrowserCheck
* STOPDecrypter
* AuroraDecrypter
* FilesLockerDecrypter
* AdwCleaner
* ComboFix
* RKill
* Junkware Removal Tool
* Virus Removal Guides
* Latest
* Most Viewed
* Ransomware
* How to remove the PBlock+ adware browser extension
* Remove the Toksearches.xyz Search Redirect
* Remove the Smashapps.net Search Redirect
* Remove the Smashappsearch.com Search Redirect
* Remove Security Tool and SecurityTool (Uninstall Guide)
* How to remove Antivirus 2009 (Uninstall Instructions)
* How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
* How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
TDSSKiller
* Locky Ransomware Information, Help Guide, and FAQ
* CryptoLocker Ransomware Information Guide and FAQ
* CryptorBit and HowDecrypt Information Guide and FAQ
* CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
* Tutorials
* Latest
* Popular
* How to make the Start menu full screen in Windows 10
* How to install the Microsoft Visual C++ 2015 Runtime
* How to open an elevated PowerShell Admin prompt in Windows 10
* How to Translate a Web Page in Google Chrome
* How to start Windows in Safe Mode
* How to remove a Trojan, Virus, Worm, or other Malware
* How to show hidden files in Windows 7
* How to see hidden files in Windows
* Deals
* Categories
* eLearning
* IT Certification Courses
* Gear + Gadgets
* Security
* Forums
* More
* Startup Database
* Uninstall Database
* File Database
* Glossary
* Chat on Discord
* Send us a Tip!
* Welcome Guide
* Home
* News
* Security
* Massive Subway UK phishing attack is pushing TrickBot malware
* AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to
LinkedInLinkedInShare to RedditRedditShare to Hacker NewsHacker NewsShare to
EmailEmail
*
MASSIVE SUBWAY UK PHISHING ATTACK IS PUSHING TRICKBOT MALWARE
By
LAWRENCE ABRAMS
* December 11, 2020
* 08:41 AM
* 0
A massive phishing campaign pretending to be a Subway order confirmation is
underway distributing the notorious TrickBot malware.
TrickBot is a trojan malware infection commonly distributed through phishing
campaigns or installed by other malware.
PLAY Top Articles Windows 10X is arriving next year: What we know so far
Video Settings Full Screen About Connatix V83802 Read More Read More Read More
Read More Read More Read More 1 min. story Skip 1/1 SPONSORED
Visit Advertiser website GO TO PAGE / Coming Next
Skip Ad
When installed, TrickBot performs a variety of malicious behavior, including
spreading through a network, stealing saved credentials in browsers, stealing
Active Directory Services databases, stealing cookies and OpenSSH keys, stealing
RDP, VNC, and PuTTY Credentials, and much more.
Even worse, TrickBot partners with ransomware operators, such as Ryuk, to access
a compromised network to deploy ransomware.
SUBWAY PHISHING CAMPAIGN IS HIGHLY TARGETED
Today, BleepingComputer was alerted by security researcher TheAnalyst of a new
phishing campaign pretending to be Subway order confirmations targeting people
from the United Kingdom.
What is concerning about these phishing emails is that they include the user's
first name, and some users are reporting they are being sent to emails only used
for Subway. This attack may indicate a data breach at Subway UK that allowed the
threat actors to gain access to customer's names and email addresses.
In an statement to BleeingComputer, Subway stated that they are investigating a
disruption to their system.
"We are aware of some disruption to our email systems and understand some of our
guests have received an unauthorised email. We are currently investigating the
matter and apologise for any inconvenience. As soon as we have more information,
we will be in touch, until then, as a precautionary measure, we advise guests
delete the email," Subway told BleepingComputer in a statement
The Subway phishing emails are using email subjects such as "Your order is being
processed" and "We've received your order," and state that it is from Subcard
(subcard@UK-IE.subwaysubcard.eu), as shown below.
These emails are odd as they tell the user to click on various links as their
"order documents are ready and awaiting confirmation." That seems like a lot of
work to order a sandwich.
Subway phishing email
Source: Twitter
These links lead to various hacked websites that will bring you to a
'FreshBooks' phishing page when clicked on. Clicking on any of the links on this
landing page will download an Excel spreadsheet.
FreshBooks phishing landing page
Depending on the variant of the phishing email you received, the Excel
spreadsheet may be password protected. Once the password is entered, a fake and
malicious DocuSign phishing attachment will be displayed. This document states
that there is a problem previewing the document, and you need to click on
'Enable Editing' and 'Enable Content' to view it.
Malicious Excel document
If a recipient enables the content, it will also enable malicious macros
embedded in the Excel spreadsheet that download and install the latest version
of the TrickBot malware.
The downloaded TrickBot malware is a DLL [VirusTotal] that will be injected into
the legitimate Windows wermgr.exe (Windows Problem Reporting) executable
directly from memory using code from the 'MemoryModule' project.
By running within Wermgr.exe, it may be to evade detection by security software
and will look like a legitimate process in Task Manager.
If you have received this email and accidentally downloaded and opened the
malicious document, make sure you perform a thorough scan of your computer using
antivirus software and clean anything that is found.
RELATED ARTICLES:
Subway marketing system hacked to send TrickBot malware emails
SilverTerrier BEC scammers target US govt healthcare agencies
LightBot: TrickBot’s new reconnaissance malware for high-value targets
TrickBot turns 100: Latest malware released with new features
Fake data breach alerts used to steal Ledger cryptocurrency wallets
* Phishing
* Subway
* TrickBot
* United Kingdom
* Facebook
* Twitter
* LinkedIn
* Email
*
LAWRENCE ABRAMS
Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's
area of expertise includes malware removal and computer forensics. Lawrence
Abrams is a co-author of the Winternals Defragmentation, Recovery, and
Administration Field Guide and the technical editor for Rootkits for Dummies.
* Previous Article
* Next Article
POST A COMMENT COMMUNITY RULES
YOU NEED TO LOGIN IN ORDER TO POST A COMMENT
Not a member yet? Register Now
YOU MAY ALSO LIKE:
SPONSOR POSTS
Qualys:
VMDR Vulnerability Management, Detection and Response — Discover, assess,
prioritize, and patch critical vulnerabilities in real time and across your
global hybrid-IT landscape all from a single solution.
JSCM Group:
JSCM's Intelligent & Flexible Cyber Security — Helping organizations assess
risk and solve complex CyberSecurity problems for more than 20 years.
Sponsor BleepingComputer
Popular Stories
* Microsoft: New malware can infect over 30K Windows PCs a day
* Ex-Cisco engineer who nuked 16k WebEx accounts goes to prison
NEWSLETTER SIGN UP
To receive periodic updates and news from BleepingComputer, please use the form
below.
NEWSLETTER SIGN UP
* Follow us:
*
*
*
*
MAIN SECTIONS
* News
* Downloads
* Virus Removal Guides
* Tutorials
* Startup Database
* Uninstall Database
* File Database
* Glossary
COMMUNITY
* Forums
* Forum Rules
* Chat
USEFUL RESOURCES
* Welcome Guide
* Sitemap
COMPANY
* About BleepingComputer
* Contact Us
* Send us a Tip!
* Advertising
* Write for BleepingComputer
* Social & Feeds
* Changelog
Terms of Use - Privacy Policy
Copyright @ 2003 - 2020 Bleeping Computer® LLC - All Rights Reserved
LOGIN
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
--------------------------------------------------------------------------------
Not a member yet? Register Now
REPORTER
HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?
* Spam
* Abusive or Harmful
* Inappropriate content
* Strong language
* Other
*
Learn more about what is not allowed to be posted.
Submitting...
SUBMIT