A distributed denial-of-service attack against anti-spam group Spamhaus has provided evidence that cyber-criminals have found a new target: WikiLeaks supporters. The cyber-criminals have combined the intense interest over WikiLeaks with a misleading domain name to trick users into going to a fake site, security researchers said.
Spamhaus was hit by DDoS attack on Dec. 18. Since the group had come under fire from WikiLeaks supporters for warning that wikileaks.info was under the control of a Russian host known for hosting malware and phishing sites, Spamhaus and other security researchers naturally thought it was a retaliatory attack from Anonymous.
In a message to the North American Network Operators' Group mailing list during the attack, Steve Linford, founder of Spamhaus wrote, "We're not saying 'Don't go to WikiLeaks.' We're saying 'Use the wikileaks.ch server instead.'"
After further analysis of its logs on Dec. 20, Spamhaus corrected its earlier statement in an update, reporting the attacks were from a professional botnet and not from the point-and-click LOIC (Low Orbit Ion Cannon) tool that Anonymous uses for its DDoS attacks.
The entire saga began Dec. 14 when Spamhaus issued a warning that the previously defunct wikileaks.org site was redirecting to a mirror on the wikileaks.info domain, which was actually being hosted by a Russian bullet-proof host Webalta. The host has often been associated with phishing, banking fraud, stolen credit card information and malware, according to Spamhaus. The main .org site has been offline ever since the site's U.S.-based DNS provider withdrew services earlier this month.
Chester Wisniewski, a senior security adviser at Sophos, wrote on the Naked Security blog that it was not clear how the Russian host had gotten control over that .org site.
Spamhaus advised users to use a safer URL, such as the current official home of WikiLeaks, at wikileaks.ch, or one of the official mirrors listed on the site. The .info site was not listed as an official mirror even though it was displaying WikiLeaks documents and it could have become a "real threat" if the pages had actually hosted malicious content, wrote Wisniewski.
Trend Micro also issued a similar warning, saying, "No matter what your political view is, this is rather disturbing." The security firm assigned a low reputation score to wikileaks.info "not because of political controversy" but because of the "bad neighborhood" where the domain is hosted.
Even though Sophos has not found any malware, it would be safer to use the wikileaks.ch site instead, said Wisniewski.
On Dec. 15, a press release with a WikiLeaks logo on the main page of the .info site claimed the information from Spamhaus was "false" and "none of [Spamhaus'] business," and called on supporters to "voice their concern" about the warnings, in a clear reference to Operation Payback, according to Linford.
As the logs vindicate Anonymous, Spamhaus conceded that it identified the attacker but not the reasons for attack. The anti-spam outfit now believes the attacks came from the Russia-based Heihachi group, which resells Webalta services. Heihachi controls enough botnets for the attack and may have retaliated after being unmasked, said Spamhaus.
The attack must have been fairly substantial to actually knock Spamhaus offline, as the organization faces DDoS attacks on an almost daily basis, most of which it is able to handle without trouble. That should have been the first clue this was not an Anonymous operation, as the group can't come up with that kind of firepower.
A "vigilante DDoS attack" of several hundreds of machines using LOIC can't do a lot of damage to sites that are built to withstand attacks. Instead, a "botnet of millions of machines" would be needed, according to Jason Hoffman, co-founder and chief scientist at Joyent.
After the DDoS attack, Anonymous also denied responsibility, according to a Spamhaus statement on its site. The statement also claimed many of the members were distancing themselves from those who had promoted the attack.
"Our old domain name, AnonOps.net, did indeed reside on the Heihachi network; however, this does not mean that we are related in any way to an attack carried out by one of Heihachi's partners or customers," Anonymous said in a letter to Spamhaus.
The other potential risk apart from malware is that the fake site can post "fake WikiLeaks documents" that could "mislead people into believe just about anything they like," said Wisniewski.
"Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian malware cyber-criminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it," Linford wrote.