“Given Flashback’s focus on gaming Google’s ad networks, I suspected that the worm’s author probably was a key member of forums that focus on so-called ‘black hat SEO,’ (search engine optimization), or learned in illicit ways to game search engines and manipulate ad revenues,” Krebs writes. “Sure enough, this individual happens to be a very active and founding member of BlackSEO.com, a closely guarded Russian language forum dedicated to this topic.”
In a private exchange on BlackSEO.com last summer, a user named Mavook described himself as “Creator of Flashback botnet for Macs.” It’s not clear how Krebs was able to view that private exchange — but after that, the process of uncovering Mavook’s identity was relatively straightforward.
Mavook’s profile page on BlackSEO.com shows that his home page used to be mavook.com. Krebs used DomainTools‘ lookup service to view the history of that domain’s registration, and found that it was originally registered to Maxim Selikhanovich of Mordovia. Other searches (Skype’s user database, now-deleted Facebook accounts, and more) then verified the information.
Krebs’ full description of the search process is worth a read — it’s viewable here.