Sonic Drive-In | Credit Card Theft Detection Use Case


Photo courtesy Sonic Franchises

On September 26, 2017, Sonic [SONC] the U.S. fast-food chain based in Oklahoma City, OK, with about 3,600 locations across 45 states, acknowledged that their payment processor detected some unusual activity.

“The first hints of a breach at the Oklahoma City-based fast-food chain came last week,” reported KrebsOnSecurity on his blog last week. “I began hearing from sources at financial institutions about a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic.”

Banking industry sources began reviewing a batch 5M credit and debit cards posted for sale on the theft bazaar, Joker’s Stash:


Krebs alerted Sonic. They responded within the hour that they were investigating “a potential incident” at some Sonic locations.

A company source later issued a statement to Krebs that their card processing service had informed them the prior week of unusual activity for cards used at Sonic.

They released the following statement:

We are working to understand the nature and scope of this issue[….] We immediately engaged third-party forensic experts and law enforcement[….] While law enforcement limits the information we can share, we will communicate additional information as we are able.

Sonic is still investigating which stores have been affected by this breach.


Image Courtesy KFOR News Oklahoma City


Where credit and debit cards go once they are stolen

What are these “shadowy underground online networks,” as one writer at USA Today called these purveyors of stolen cards? In the aftermath of this breach, news programs like KDFW–FOX4 local television news in Dallas, encouraged cardholders to monitor their credit. Good advice, but it’s cold comfort for the millions of people that have been impacted.

Stolen Credit Card Dumps & CVV Shop sites are the “Amazon” for criminals who buy and use stolen credit cards. Joker’s Stash is one of these inhabitants of the dark and deep web.

The cards in this particular breach are being merchandised on J-Stash indexed by city, state and ZIP code. That’s because financial institutions get software alerts and block compromised cards when they are used out-of-state or out-of-country.

According to, crooks use these cards to purchase things like drones, vacuum cleaners, gym shoes, coffee makers, smartphones, and tablets.


POS system malware injections play a key role

Typically, criminal organizations steal credit card data from point-of-sale systems remotely through the use of malware. The bot copies account data stored on a card’s magnetic strip and clones it to purchase high-priced merchandise from electronics stores and big-box retailers.

Krebs reports the cards stolen in the Sonic breach are being sold on Joker’s Stash at premium rates–from $25 to $50US that equivalent to €22 to €33 EU. The higher rates are due to both the freshness of the batch and the level of the account–platinum etc.


What businesses can do to protect company cards

Credit card theft detection is something that organizations can use as part of their overall threat intelligence practice.

Having one of these modules will let you detect stolen credit card information so you can protect your customers or employees from becoming targets. This happens in almost real-time before they can be sold on the deep Internet and black markets.

The Blueliv module allows you to actually automatically retrieve compromised cards before potentially being sold on deep Internet black markets and used to commit a fraud. Security industry specialists are finding that early detection is essential for quick recovery and can save organizations money and distress from media backlash.

Features your Credit Card strategy should provide:

  • Tools that allow security teams to create a proactive card security strategy
  • The ability to block stolen credit cards
  • Harden your cybersecurity profile by automating protection
  • Protect against unauthorized purchases
  • Reduce insurance costs due to control and credit card fraud mitigation

In addition, the Blueliv Botnet module can help you to reduce the risk of breach by detecting in real-time compromised credentials and infected POS.

Having a well-mapped, well-automated detection system in place takes the guesswork out of the process. Though card thieves will use cards local to their point-of-use, they may access and use local cards remotely from other continents.

Sadly, the Sonic Drive-In is only one of the other companies where credit cards were stolen in 2017. MarketWatch reports another “massive” security breach of customer credit cards at Chipotle, the U.S. burrito chain with locations in Canada, Germany, and France, between March 24 and April 18, affecting 2,250 restaurants.

Some 44 percent of adults have received a fraud alert, a 15 percent increase since 2015 according to a survey done last May by the credit card website

These incidents are disheartening but they don’t have to happen, not when you can have alerts integrated right into your existing security.

Blueliv is happy to help your organization design an Enterprise Intelligence Solution that meets your unique business requirements.

Feel free to reach out and schedule a free demonstration.


Blueliv Credit Card Theft Solution

Our Enterprise level solution module for credit cards delivers a real-time list of recovered credit cards. It also gives you early warning of suspicious activity that may be evidence of  VIP and corporate card theft.

Our automated system includes a heat map of credit card black markets and infected point-of-sale systems.

With live carding threat data, you know which systems are infected, how, and when the intrusion occurred. The credit card module uses fraud scoring algorithms to allow you to quickly identify stolen cards so that you can block their use.

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP