In terms of stealth moves -- hello "Office Space" -- in fact card data has a finite life, thanks to "card brands" either invalidating those numbers and issuing new cards (as some have done) or else using "enhanced fraud protection measures" (i.e. not paying for the cost of reissuing a card, and hoping to spot any fraudulent transactions -- more fun for cardholders). So there's an impetus for carders to move the goods quickly.

On that front, Brian Krebs said via Twitter yesterday: "Another set of 2 million cards stolen from Target ("Eagle Claw") goes on sale at Rescator sites (all part of batch stolen 11/27 - 12/15)."

BlackPOS is Windows malware. But some POS terminals run Windows. Others, Java. So there was a question -- which hasn't yet been officially answered -- about whether attackers managed to infect POS terminals themselves, for example if they were Internet-connected and set to use a default password. Then a secondary hack of a system inside Target might have served as the command-and-control server (mothership), and routed stolen data via FTP to Russia. 

That's crucial information for other retailers looking to avoid a copycat hack against their systems. 

But based on what's known now, it looks like the payment system was hacked. From a time/effort standpoint, this makes a lot of sense. Launch a phishing attack (again, just a guess) that manages to sneak malware onto the Windows system that manages payment processing -- i.e. sends/receives data from all of those POS terminals in stores  -- and you have an elegant (from an attacker's perspective) way to siphon large amounts of card data. Add the twist of only sending this information out of the firewall to an attacker-controlled server during working hours, and you make related data exfiltration tougher to spot.