The web site that first broke the news that data on millions of credit cards was lifted from box retailer Target now reports that those cards are being used to make fraudulent purchases at brick and mortar stores- including at Target itself.
Writing on the website Krebsonsecurity.com, Brian Krebs said that so-called “dumps” of stolen card data are flooding underground “carder” web sites where cyber criminals fence stolen card information.
Citing an unnamed source at a New England bank, Krebs said that the bank had, with his help, purchased about 20 cards for its customers that were offered for sale on rescator(dot)la, the carder web site, and confirmed that all the stolen cards had been used at Target.
Furthermore, the source confirmed to Krebs that some of the stolen cards had already been used to make fraudulent purchases – including at Target and other big box retailers. Only one of the 20 stolen cards purchased by the bank had been cancelled due to fraud, Krebsonsecurity.com reported.
The stolen cards have been uploaded to the carder website almost daily in groups of around 100,000 cards at a time, starting in early December. The batches of cards are branded “Tortuga” (spanish for “turtle”), Krebs reported.
The Security Ledger was able to confirm that debit and credit card numbers were being offered for sale under the name “Tortuga,” but could not verify that they were legitimate or linked to Target.com.
Because stolen credit cards are soon cancelled, criminals must turn around any accounts they purchase in short order and used to purchase high value goods that can easily be resold (fenced) online. Customers at the carder site posted rave reviews for the Tortuga dumps, with many bragging of successful withdrawals (or “swipes”) totaling thousands of dollars a day. Those who purchased accounts from the stolen
Tortuga” dumps also praised the thieves inclusion of zip codes for the cards, allowing cyber criminals to make in-state purchases that are less likely to arouse suspicion.
Target did not respond to a request for comment by The Security Ledger. The company has acknowledged being hacked and has urged its customers to pay close attention to credit card statements for signs of fraud.
Target is just the latest company to be caught up in a large-scale breach. In October, the software vendor Adobe disclosed the theft of more than 150 million customer credentials affecting 38 million active customers. Then, in November, the web site Krebsonsecurity.com disclosed that data belonging to around 40 million customers of CupidMedia – an online dating firm – was discovered on a server linked to cyber criminals involved in the attacks on Adobe, PR Newswire and other companies.
However, the news comes at a difficult time. The final days before Christmas are the busiest and most profitable of the year for retailers. Target has said that it has addressed the security flaw that led to the compromise, but news of the hack and the theft of credit card information may discourage shoppers from visiting Target stores in the short term. Customers angry at the company took to social media to express frustration, with more than 1,000 comments posted on Target’s Facebook page, many expressing anger and disappointment at the incident.
The long term impact on the company is less clear. Massachusetts-based TJX was famously the subject of a huge breach and the theft of some 45 million card numbers. The breach proved costly, but TJX paid off fines associated with the incident in short order and has remained profitable throughout.