The United States Department of Justice appears to be under attack for the second time since the popular Megaupload file sharing site was taken down. The group Anonymous appears to be carrying out this latest attack in protest against the Anti-Counterfeiting Trade Agreement (ACTA)

In its Mega Song music video, which was released last month, Megaupload claimed the site had 1 billion users and accounted for 4% of all traffic on the internet. www.megaupload.com was the 77th busiest site according to the Netcraft Toolbar. The company's main website was hosted by Carpathia Hosting, but now displays an FBI anti-piracy warning hosted by Amazon. The warning explains, "This domain name associated with the website Megaupload.com has been seized pursuant to an order issued by a U.S. District Court." Despite the static nature of the warning page, it appears to have struggled with the amount of traffic it was receiving over the weekend:

Plans by Anonymous to launch a distributed denial of service attack against www.governo.it were changed half an hour before the attack was scheduled to commence. The group used IRC, Twitter, Pastebin and image sharing sites to advertise the attack a day before it was due to start, but the surprise change meant that www.italia.gov.it unexpectedly ended up bearing the brunt of the attack.

The DDoS attack against www.italia.gov.it was immediately successful, with the site becoming inaccessible from 14:00 UTC on Thursday. The attack appeared to subside a few hours later and the site is now functioning normally with no apparent changes to its infrastructure.

After seeing how easily its "lulzcannon" were able to take down www.italia.gov.it, some members of Anonymous called for the original target, www.governo.it, to be attacked as well. It was not apparent how many people took part in this secondary attack, but it appeared to have a minimal impact on the site's availability:

Finnish anti-piracy organisation TTVK is still under attack after it successfully applied for one of the country's largest ISPs to block access to the popular bittorrent tracker, The Pirate Bay. The Helsinki District Court ordered Elisa Oyj to implement the block, and Elisa responded by appealing the decision to the Helsinki Court of Appeal.

In protest against the block, AnonFinland called for its supporters to "fire their cannons" at the TTVK's antipiracy.fi website, which quickly succumbed to the attack. Anonymous has issued similar calls to arms in the past – most notably towards the end of 2010, when WikiLeaks supporters successfully used the LOIC tool (Low Orbit Ion Cannon) to attack the websites of Visa, MasterCard and PayPal.

Shortly after calling for the site to be attacked, AnonFinland tweeted a now-customary "tango down" message, signifying that the attack had succeeded. With a Netcraft site rank of only 435586, it is likely that antipiracy.fi was typically not accustomed to large volumes of traffic. This, coupled with the fact that the site does not make use of a CDN to increase redundancy or reduce network latency, may have made the organisation an easy target.

antipiracy.fi – which is coincidentally hosted by Elisa Oyj – was still down at the time of publication.

The Nigerian government's National Information Technology Development Agency is currently hosting a phishing attack against Halifax on its own website at www.nitda.gov.ng. NITDA has been notified, and the Netcraft Toolbar community (which discovered the fraudulent content) is already protected from this attack.

Ironically, NITDA is the clearing house for IT projects in Nigeria, and establishes a set of security guidelines for the Federal Government of Nigeria in its Computer Network Architecture Standards (COMNAS) Framework. This document covers the national policy on network security and describes vulnerability scanning and penetration testing procedures which may have prevented the fraudulent content from appearing on its own website.

Phishing sites are quite commonly hosted on government infrastructure: In July, Netcraft blocked 146 new phishing sites hosted in government domains around the world.

Netcraft's anti-phishing toolbar community identified a noteworthy phishing attack against PayPal in December. FasterPay – which describes itself as the UK's only safe, all-in-one Internet Banking payment service – was apparently hacked, and a subdirectory on the company's own website at www.fasterpay.co.uk was used to host a PayPal phishing site.

The veracity of the phishing attack was enhanced by the Extended Validation SSL certificate used by the FasterPay website. This meant that any victims of the phishing attack would have been presented with the reassuring green EV indicator in (or near) the browser's address bar. This attack acts as a reminder that users must do more than merely look for the presence of an EV certificate when deciding whether or not it is safe to submit personal or financial data to a website.

The CA/Browser Forum defines a strict set of guidelines [pdf] that a certificate authority must adhere to when issuing an Extended Validation certificate. These guidelines clearly detail the steps required to verify the identity and legitimacy of an organisation when it applies for a certificate, as well as the security processes that must be implemented by the certificate authority.

Each certificate authority must maintain a comprehensive security program to protect all EV processes, including carrying out regular risk assessments. However, no such requirements are placed upon the owners of websites which use EV certificates, which perhaps highlights a weakness in the current guidelines.

According to these guidelines, one of the secondary purposes of EV certificates is to address the problem of phishing, but the attack hosted by FasterPay demonstrates how this type of protection can be undermined and rendered trustworthy – if a user is conditioned to be reassured by the presence of an EV certificate, he will be more susceptible to any phishing attack that is hosted on a site with an EV certificate. FasterPay is by no means the first EV-toting website to have exhibited a security vulnerability, which raises the question of whether the issuance guidelines for EV certificates should also require the applicant to provide similar assurances regarding the security of the website on which an EV certificate is to be deployed – for example, by carrying out regular automated vulnerability scans or manual web application security testing.