The arrest of two Mexican citizens at the U.S.-Mexico border has uncovered 96 fraudulent credit cards using compromised card data stolen in the recent Target breach that may affect as many 110 million customers, according to reports.
“McAllen Police Chief Victor Rodriguez said Monday that 27-year-old Mary Carmen Garcia and 28-year-old Daniel Guardiola Dominguez, both of Monterrey, Mexico, used cards containing the account information of South Texas residents,” CBS reports. “The chief says they were used to buy tens of thousands of dollars’ worth of merchandise at national retailers in the area.”
Using the cloned cards within the general vicinity of the account holders would have increased the likelihood that the fraudulent purchases would have been harder to detect, and is an indication that the potential full impact of the breach has yet to be determined.
By mid-December, it was already known that data from millions of credit and debit card accounts stolen in the breach, suspected to have lasted from Black Friday through December 15th, had already hit the black market.
Officials from at least one major bank had confirmed that they found stolen account information being sold on the black market in large batches of one million cards, with prices ranging from from $20 to more than $100 per card.
Reuters also recently reported that several other major retailers were the victims of data consumer losses over the holiday season in addition to Target and Neiman Marcus, though the breaches have yet to be publicly disclosed.
The attackers are thought to have used similar techniques as those employed by the Target attackers, who authorities believe infect point of sale (PoS) terminals with data sniffing malware, and some now speculate that the attacks may have been conducted by the same criminal organization based out of Eastern Europe.
An investigation by security journalist Brian Krebs indicates that the malware used to breach point of sale (POS) systems known as “Reedum” has been available on underground criminal forums under the name of “BlackPOS” since at least the middle of last year.