Clickjackingalso known by names like UI repair attack, UI repair attack, Fixed UI, is a common malicious technique used by attackers to create multiple complicated layers to trick a user into clicking a button or link on another page when they intended to click on another page. Thus, the attacker manages to control the user to click on a link from an external source, while “hijacking” the original page. This technique has limitless uses when it comes to exploiting users. For example, such an attack can trick customers into entering their bank details into a third-party page that mirrors the original page.
What is a clickjacking attack?
Clickjacking is a malicious activity, where malicious links are hidden behind real clickable buttons or links, which forces users to activate wrong action with their click.
A common and extremely destructive example of this technique might be when an attacker builds a website that has a button that says “Click here to enter the contest“. However, right next to the button, they put an almost invisible frame that links to the ‘Delete all contacts’ from your Gmail account’. The victim tries to click on the button but instead clicks on the invisible button. Therefore, the attacker “hijacked” the user’s “click”, hence the name Clickjacking.
In recent times, clickjacking has made its way to popular services such as Adobe Flash Player and Twitter. Some attackers have changed Adobe Flash plug-in settings. By loading this page in an invisible iframe, an attacker could trick a user into changing Flash’s security settings, allowing any Flash movie to use the computer’s microphone and camera.
Speaking of Twitter, the clickjacking entered a Twitter worm. This attack rather cleverly targeted users, forcing them to retweet a location and spread it widely before Twitter intervened to control the virus.
What is Cursorjacking
What is jacking
In addition to Cursorjacking, incidents of like jacking. Made popular after the rise of Facebook in pop culture, this self-explanatory term means to trick the person into liking a Facebook page they weren’t originally supposed to know about.
Clickjack Protection Tips
X frame options
This Microsoft solution is one of the most effective against clickjacking attacks on your machine. You can include the X-Frame-Options HTTP header in all your web pages. This will prevent your site from being framed. X-Frame is supported by the latest versions of most browsers including Safari, Chrome, IE, but may have issues with Firefox. The great part about using X-Frame is that it is extremely simple, but requires access to web server configuration and scripting language on the server.
Move elements on your pages
The attacker trying to place the clickjacking on your web pages does not know the current locations of the items on your side. It can only place its infected items according to the default settings. It’s a good idea to try moving things around on your page; for example, attackers may intend to target the Facebook Like button. By moving this item to another location, you can easily detect when such an incident occurs. The only problem with this solution is that it is extremely difficult for normal users to perform.
This is a fairly advanced method of protection against clickjackers, who might be knowledgeable enough to surpass your basic filters. You can make the attack much more difficult if you include one-time code in the URLs of crucial pages. This is similar to the nonces used to prevent CSRF, but unique in that it includes the nonces in the URLs of target pages, not in the forms on those pages.
Clickjack Prevention Tips
Assess email protection
Installing and checking a strong spam filter is a way to effectively detect any type of attacks on your accounts. Clickjacking attacks usually start by tricking a user via email into visiting a malicious site. This is done by implementing forged or specially crafted emails that appear genuine. Blocking illegitimate emails reduces a potential attack for clickjacking and a host of other attacks as well.
Use web application firewalls
WEF web application firewalls are an important aspect of security for businesses that have most of their data on the Internet. Some of these companies tend to ignore the need for it and end up being attacked by massive clickjacking incidents. Recent data has shown that nearly 70% of all SMBs have been hacked in some way over the past decade. It can take a huge burden off your plate, significantly reduce risk, and cost less than the loss you might incur.
Now read: What are click fraud and online ad fraud?