December 20, 2010
In an email posted on Cryptome, Joly MacFie cites the website Spamhaus that has accused a “Russian dedicated cybercrime host” of launching a cyber attack against its servers.
The denial-of-service attack occurred after Spamhaus posted a warning about wikileaks.info, described as a Wikileaks mirror. There are hundreds of websites posting copies of the Wikileaks documents.
Spamhaus accuses wikileaks.info of hosting a malware site designed to entrap unsuspecting Wikileaks supporters. The site is not connected to Julian Assange or the Wikileaks organization.
“As many of you know, both Trend Micro and Spamhaus have published warnings about a Wikileaks mirror site ‘wikileaks.info’ which is run by the person or persons behind ‘AnonOps’ from an IP address of a Russian dedicated cybercrime host (Heihachi) on which there is nothing but malware and other cybercrime,” Spamhaus writes. “Innocent people seeking to read or download Wikileaks documents are being directed to the rogue wikileaks.info server and into the hands of the crime gangs located there.”
Feike Hacquebord, writing for Trend Micro’s Malware Blog, says his company “assigns a very low reputation score to domain name wikileaks.info not because of political controversy but because of actual facts about the bad neighborhood where this domain name is hosted.”
Soon after the warning was issued, the Spamhaus webite came up under attack. “For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all.”
Prior to the attack, wikileaks.info insisted it is not a malware site. “We find it very disturbing that Spamhaus labels a site as dangerous without even checking if there is any malware on it. We monitor the wikileaks.info site and we can guarantee that there is no malware on it. We do not know who else is hosted with Heihachi Ltd and it is none of our business. They provide reliable hosting to us. That’s it.”
“Wikileaks has been pulled from big hosters like Amazon. That’s why we are using a ‘bulletproof’ hoster that does not just kick a site when it gets a letter from government or a big company.”
The Russian site employs the services of Webalta, a Russian hosting outfit that hosts phishing fraudsters, botnet-controllers and malware-related websites, according to The Register, a British technology news and opinion website. “This has prompted anti-spam organizations such as Spamhaus to warn that visiting WikiLeaks.info may itself leave surfers exposed to malware,” John Leydon writes.
“Webalta’s 184.108.40.206/19 IP address space, a ‘blackhat’ network which Spamhaus believes caters primarily to, or is under the control of, Russian cybercriminals,” Spamhaus explains.
According to Steve Linford of the Spamhaus Project, the wikileaks.info website also posted a press release with the Wikileaks logo.
“Because they are using a Wikileaks logo, many people thought that the ‘press release’ was issued ‘by Wikileaks’. In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognize thewikileaks.info mirror,” explains Linford.
Linford says the “site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz,h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.”
A blog dedicated to exposing the Heihachi operation lists a large number of suspicious sites on the same IP address as the one used by wikileaks.info, including sites specializing in fake ID documents, credit card info, fake watches, and steroids. “Heihachi is all to well known as a resource for scammers and other internet miscreants that uses the anonymity of the net to victimize innocent internet users,” a post on the blog states.
Heihachi’s profile fits right into the cyber threat hyped by the Department of Homeland Security and the government as it seeks to regulate and purge the internet of not only copyright infringement, but also alternative news sites.
In addition to exaggerating the threat posed by Muslim jihadists, the government has pushed the idea that there is an epidemic of crime on the web.
In April, a top White House cybersecurity aide said that transnational cybercrime is a far more serious concern than “cyberwar” attacks against critical infrastructure such as the electricity grid. Christopher Painter, the White House senior director for cybersecurity, made comments about the threat of criminal behavior on the internet at a conference arranged by top Russian cybersecurity officials in Garmisch-Partenkirchen, Germany, according to the Homeland Security Newswire.