Sonic Drive-In, a fast food chain with over 3,600 restaurants across the US, has acknowledged a malware breach that affected an yet unidentified number of locations.

The breach came to light last week when infosec journalist Brian Krebs spotted a trove of payment card details on underground forums and card shops that appeared to come from Sonic customers.

IBM X-Force, an IBM division specialized in banking trojans and financial crimes, confirmed Krebs' findings in a blog post yesterday.

Later on the same day, Sonic issued an official press release, admitting the breach and providing instructions for customers to enroll in 24 months of free fraud detection and identity theft protection.

Since the number of affected customers is unknown, any customer who used his payment card at Sonic Drive-In restaurants appears to be eligible, based on the greeting message on the program's homepage. The fraud detection and identity theft protection services are provided by Experian.

Card details sold underground for $25-$50

Krebs found the supposed stolen Sonic card details on a carding shop named Joker's Stash, as part of a batch titled Firetigerrr that contained five million payment card details.

IBM said crooks put the FireTigerrr batch up for sale on September 18, but the same package was also seen three days earlier, September 15, on another cybercrime service that checks for-sale card data validity against potential fraudsters.

Firetigerrr batch [Source: Brian Krebs]

While Sonic has only said that "malware" was to blame for the breach, crooks most likely used PoS malware to pilfer the data from Sonic's networks.

PoS malware has been all the rage recently, with numerous incidents reported in the past two-three years alone.

PoS ransomware?

In an email to Bleeping Computer, John Christly, Global CISO at Netsurion, a provider of managed security services for multi-location businesses, believes the next step in PoS malware attacks is PoS ransomware.

"If retailers don’t protect themselves properly, this isn’t much of a stretch," Christly said. "Rather than gain access to a chain’s POS to exfiltrate credit cards over months (or even years), cybercriminals could deploy ransomware that shuts down the POS systems… effectively bringing the business and all revenue to a screeching halt."

"This would likely prompt stores to pay the ransom right away, allowing the threat actors to profit within minutes," Christly added. "And with the impressive success of the global WannaCry and NotPetya outbreaks, cybercriminals are taking notice of what works."