Sonic Drive-In Blames Credit Card Breach on Malware

Sonic Drive-In, a fast-food chain with more than 3,500 restaurants across 45 U.S. states, confirmed that credit card data might have been stolen from some of its locations as part of a malware attack.

The possibility of a breach at Sonic was raised last week by cybersecurity blogger Brian Krebs, who was notified by sources from the financial industry about fraudulent transactions on cards recently used at the fast-food chain. Krebs managed to confirm that a handful of cards selected at random from a stash of 5 million that were put up for sale on an underground website had been used at Sonic.

Sonic said at the time that it had been notified by its payment processor about unusual activity on credit cards used at its restaurants and was investigating the cause. On Wednesday, the company announced in a press release that “credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations.”

The company has not yet disclosed how many cards and which locations have been affected, but is offering all customers who used their cards at any of its restaurants this year a free 24-month subscription with Experian IdentityWorks, a fraud detection and identity theft protection program.

Security researchers from IBM X-Force confirmed that the batch of cards put up for sale recently on the website found by Krebs had been available for purchase on the underground market since Sept. 15. According to information listed on the illegal credit card shop, the cards have been obtained from different locations in a variety of states.

While Sonic did not provide any details about the nature of the malware attack it’s investigating, the most common type of hacks that result in compromised credit card data involves so-called memory-scraping malware being installed on point-of-sale (POS) systems. POS malware has been used in some of the largest breaches in recent years, including those at Target, the Home Depot and Neiman Marcus.

“Attacks against organizations that operate a large number of point-of-sale (POS) endpoints are fruitful for cybercriminals looking to gain access to credit card information, which is precisely why we’re seeing more of these cases than ever,” the IBM X-Force researchers said in a blog post about PoS compromises.

Attackers usually compromise POS systems by using stolen or weak remote administration credentials, through physical access, through malicious software updates (supply-chain attacks) or by penetrating higher levels of the corporate network. Preventing such attacks depends on many aspects of an organization’s security posture.

“POS malware has been around for over a decade now, operated by actors ranging from lone fraudsters to organized crime groups,” the IBM researchers said. “Through the years, POS malware has not made significant strides in technical terms, simply because it has not needed to.”

Attackers Compromise Email Accounts and Inject Malware into Legitimate Conversations

Spear-phishing continues to be one of the primary methods through which hackers break into corporate computers and accounts. This is why many organizations now regularly train their employees on spotting rogue emails that bypass spam filters.

Some attackers seem to have now taken spear-phishing to the next level: compromising email accounts and injecting malicious messages directly into legitimate conversations between account owners and their contacts. Such attacks make it very hard to spot malicious emails, since they come from trusted sources and are part of existing message exchanges.

Researchers from security firm Palo Alto Networks recently investigated a highly targeted spear-phishing attack that used compromised email accounts from a legitimate domain in North East Asia. The attackers used them to send malicious email messages that contained documents exploiting a remote code execution in Microsoft Word and WordPad (CVE-2017-0199).

Successful exploitation led to the installation of two malicious programs called PoohMilk and Freenki that have been used in targeted attacks in the past. The new campaign, which Palo Alto Networks named FreeMilk, targeted a bank based in the Middle East, trademark and intellectual property service companies based in Europe, an international sporting organization and individuals with indirect ties to an unnamed country in North East Asia.

“The FreeMilk spear-phishing campaign is still ongoing, and is a campaign with a limited but wide range of targets in different regions,” the Palo Alto researchers said in a blog post. “The threat actor tried to stay under the radar by making malware that only executes when a proper argument is given, hijacked an existing email conversation and carefully crafted each decoy document based on the hijacked conversation to make it look more legitimate.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin