Spam tracking outfit Spamhaus has warned that that the original WikiLeaks address, wikileaks.org, now redirects traffic to a site operated by what it calls 'Russian cybercriminals'.
It says Webalta's 188.8.131.52/19 IP address space has been listed on the Spamhaus Block List (SBL) since October 2008 due to nefarious activites associated with the address
Spamhaus regards the Russian Webalta (also known as Wahome) host as being "blackhat" - a known cybercrime host from whose IP space Spamhaus only sees spamming, malware/virus hosting, phishing and other dodgy activities.
The outfit says it is concerned that any WikiLeaks archive posted on a site that is hosted in Webalta space might be infected with malware.
The main wikileaks.org web site now redirects visitors to mirror.wikileaks.info and thence directly into Webalta's controlled IP address space, which means, Spamhaus says, that "there is substantial risk that any malware infection would spread widely."
The outfit also thinks the mirror site mirror.wikileaks.info is a bit dodgy and reckons the content of the site is not the same as other WikiLeaks mirrors. It suggests users head to the organisation's 'real' site at wikileaks.is, wikileaks.nl, or one of many other mirror sites around the world.
Spamhaus says it "takes no political stand on the WikiLeaks affair". A spokesman said he hopes "WikiLeaks staff will quickly address the hosting issue to remove the possibility of cybercriminals using WikiLeaks traffic for illicit purposes."
On Sunday researcher Feike Hacquebord at Trend Micro issued a similar warning in the Trend Micro Malware Blog.