Target Corp. has confirmed that a payments breach that likely exposed some 40 million U.S. debit and credit accounts was caused by a malware attack that infected its point-of-sale system (see Target Breach: What Happened?).

Target CEO Gregg Steinhafel confirms the company is working with the Secret Service and the Department of Justice to investigate the incident. "This unauthorized access is a crime, and we are taking it very seriously," the company states in the latest notice on its its website.

Although Target is not issuing any details about the forensics investigation, Andrey Komarov, CEO of cyberintelligence firm IntelCrawler, says card numbers compromised in the Target breach are flooding underground forums and continued to be posted for sale as recently as Dec. 20. For now, forums with URLs based in Asia and Eastern Europe are being closely monitored for carding activity linked to compromised Target transactions, he says.

"It is important to analyze online underground shops for presence of compromised data in order to find any relations between bad actors trading the data and real hackers who made the intrusion," Komarov says.

Fraudsters know the compromised card numbers won't be good forever, he says, so fraud associated with compromised accounts will likely occur immediately. "In my opinion, this incident is very similar to the RBS WorldPay hack and Heartland Payments intrusion," he says.

Brian Krebs, the cyber-security blogger who broke the Target breach story Dec. 18, also blogged this week about cards associated with the Target attack appearing for sale in underground forums.

Bank Action

Banking institutions, including JPMorgan Chase, are working directly with their customers to address card fraud risks.

On Dec. 21, Chase told customers that debit and reloadable debit accounts identified as being at risk because of the Target breach would have temporary cash withdrawal and purchase restrictions of $100 and $300, respectively, until new cards could be issued. On Dec. 23, the bank issued a revised statement, noting that those cash and purchase limits had been raised.

"To minimize inconvenience to our customers, we raised those reduced limits today to $250 at ATMs and $1,000 in purchases per day in the United States," Chase states. "We may continue to change these limits if we think it makes sense, so please check chase.com for updates."

Consumers also have filed a series of class action lawsuits seeking millions in damages from the Minneapolis-based retailer, according to published reports.

Also, attorneys general in Connecticut, Massachusetts, New York and South Dakota have requested Target provide more information about the breach. On Dec. 19, New York Attorney General Eric Schneiderman also requested that Target provide one year of free credit monitoring to all impacted New York residents.

Target notes on its breach FAQ page, which is constantly being updated, that it is offering free credit monitoring to anyone impacted. "We are in the process of establishing the service and will be reaching out to guests in the coming weeks with more information," Target says.

Lots of Attention

Shirley Inscoe, a financial fraud analyst with the consultancy Aite, says Target's breach is getting more attention than previous retailer breaches.