Miscreants are making fraudulent donations to CastleCops in a bid to discredit the volunteer security community.
Stolen credit card details are being used to fund PayPal accounts from which the fraudulent donations are made. CastleCops' work has made it a bête noire for black hats. As a result, its site is regularly subjected to denial of service attacks.
CastleCops has posted a note explaining that it has nothing to do with the fraudulent transactions.
Security observers reckon the switch of tactics - from flooding CastleCops' website to making fraudulent donations - could misfire against its perpetrators.
"If their purpose was to discredit the organisation in this way, then they appear to have been rather naïve. Perhaps, more importantly, they have unintentionally indicated their level of maturity and understanding of how people really perceive this threat," writes Gunter Ollmann, of IBM's ISS security division.
"I believe that the net result of their actions has been to strengthen outsiders' perception of CastleCops, and to publicly validate that more work needs to be done to make the internet a safer place."
The victims of credit card fraud stemming from the attack are more likely to blame fraudsters than CastleCops, he adds.
The use of fraudulent donations to charity sites is becoming more commonplace as a way for fraudsters to discover which card details are valid. A list of credit card details purchased on the black market is likely to include out of date records.
Online donation sites make the process of sorting the wheat from the chaff far more straightforward. Fraudsters avoid the need to bother dealing with shopping carts and inventory lookups when conducting transactions with such sites, which are built to deal with hundreds of card transactions per second. ®