Clickjacking is a malicious technique used by cybercriminals to deceive users into interacting with something different from what they perceive on their screens. This attack typically occurs through a seemingly harmless webpage, where an invisible or disguised element is placed over a legitimate button, link, or interface. When a user clicks on what they believe to be a safe button or link, they are, in fact, unknowingly interacting with the hidden element, leading to unintended actions.

Clickjacking can be used for various malicious purposes such as:

  • Installing malware
  • Stealing credentials
  • Activating webcams or microphones
  • Making unsolicited purchases
  • Authorizing money transfers
  • Identifying locations
  • Boosting click stats on unrelated sites
  • Boosting ad revenues on sites

How Clickjacking Works

Clickjacking exploits the way web browsers and websites render content. Websites often use iframes (inline frames) to display external content within a webpage. Cybercriminals can exploit this feature by embedding a malicious iframe (an invisible or disguised frame) over a legitimate clickable element, such as a button, video, or form. The user is unaware that their click is being directed at something completely different from what they intend.

Here’s a basic step-by-step breakdown of how a clickjacking attack might work:

  1. Attacker’s Page Setup: The attacker creates a malicious webpage or advertises a legitimate-looking site. They include an invisible iframe element that overlays the targeted button or link on the legitimate page (which could be a social media “like” button, a “buy” button, etc.).
  2. User Interaction: The user visits the attacker’s page and is presented with what appears to be a normal interface, such as a video or image that they want to click on. They think they are interacting with the visible content, but in reality, they are clicking on the invisible iframe element.
  3. Unintended Action: When the user clicks on what seems like a harmless part of the page (for instance, a play button on a video), their click is actually sent to the underlying hidden element, triggering an action without their knowledge. This could result in actions like liking a social media post, sharing personal data, authorizing a financial transaction, or installing malware.

Types of clickjacking

Likejacking

This technique is used on social media, tricking users into liking pages that they didn’t intend to. For example, the hacker might manipulate the Facebook like button.

Cursorjacking

Cursorjacking is a UI redress technique which changes the cursor position to a different place than the user perceives it. The cursor is usually replaced with a fake one, using an image, and offsets the location of the user’s real cursor. This means that the user will think they are carrying out one action when they are actually completing a different malicious action in the background.

Cookiejacking

This type of UI redress attack steals the victim’s cookies. By obtaining the cookies, the attacker can access information contained within them and use it to impersonate the victim.

Filejacking 

The attacker uses this technique to access the victim’s local file systems and steal files from within them. When uploading an image, for example, a window will come up allowing you to browse the files on your device. During this type of attack, clicking the “Browse Files” button will establish an active server, giving the attacker the potential to access your entire file system.

Common Use Cases for Clickjacking

Clickjacking can be used for various malicious purposes. Some common scenarios include:

  1. Social Media Manipulation: Attackers often use clickjacking to trick users into clicking on hidden elements that automatically “like” or “share” posts, status updates, or pages on social media platforms. This can manipulate social media metrics, spread misinformation, or advertise malicious content.
  2. Financial Fraud: In more serious attacks, cybercriminals might use clickjacking to get users to unwittingly authorize online transactions, such as approving a money transfer or subscribing to a paid service. These attacks could lead to significant financial losses for individuals or organizations.
  3. Malware Distribution: Clickjacking can also be used as a mechanism for delivering malicious payloads. When a user clicks on an invisible element, they may unknowingly download malware, ransomware, or other types of malicious software that infect their device.
  4. Credential Harvesting: In some cases, attackers can trick users into submitting sensitive data, such as login credentials or personal information, by hiding input fields behind seemingly legitimate content. The user unknowingly submits this information to the attacker.

Risks and Consequences of Clickjacking

The risks posed by clickjacking are significant, as the attack is difficult to detect and can lead to serious consequences. Some of the potential risks include:

  • Loss of Personal Data: Clickjacking can be used to steal sensitive personal information, such as login credentials or financial details, often leading to identity theft or unauthorized access to user accounts.
  • Damage to Reputation: For businesses and brands, a successful clickjacking attack can damage customer trust and brand reputation. If users are tricked into liking or sharing unwanted or harmful content, it can result in negative publicity and loss of consumer confidence.
  • Financial Losses: Clickjacking attacks that lead to unauthorized transactions or the purchase of goods and services without user consent can cause significant financial damage to individuals and businesses alike.
  • Malware Infection: If the attack is used to distribute malicious software, infected users may face data loss, system compromise, and further exploitation by other cybercriminals.

Prevention and Protection

For Website Owners:

  1. X-Frame-Options Header: One of the most effective ways to protect against clickjacking is by using the X-Frame-Options HTTP header. This header prevents a webpage from being embedded in an iframe, thus blocking the malicious overlay technique. The options available for the header are:
    • DENY: This disallows any domain from embedding the page in an iframe.
    • SAMEORIGIN: This allows the page to be embedded only by pages from the same origin.
  2. Content Security Policy (CSP): CSP is a browser feature that helps mitigate various types of attacks, including clickjacking. By setting appropriate CSP directives, web developers can restrict which domains are allowed to embed content from their website.
  3. Frame Busting Scripts: Some websites implement JavaScript “frame-busting” techniques that detect if the page is embedded in a frame and automatically “bust” out of it. While this is less reliable than HTTP headers, it can add an additional layer of protection.
  4. User Interface Changes: Websites can also design user interfaces that make it more difficult for attackers to trick users. For example, placing critical buttons or links in areas of the screen that are less likely to be covered by an iframe can help reduce the success of clickjacking attempts.

For Users:

  1. Browser Security Settings: Users can improve their browser security settings to block pop-ups and iframes, reducing the risk of encountering clickjacking attacks. Many modern browsers have built-in defenses against this type of attack.
  2. Use Security Extensions: Browser extensions, such as NoScript or ScriptSafe, can block potentially dangerous scripts and iframes, offering additional protection against clickjacking and other types of malicious activity.
  3. Be Cautious with Unknown Links: Users should exercise caution when clicking on links or buttons on unfamiliar websites. If a page looks suspicious or contains unexpected prompts, it’s best to avoid interacting with it.

Conclusion

Clickjacking is a deceptively simple yet highly effective attack technique that exploits user trust and the technical functionality of web browsers. By overlaying invisible or disguised elements over legitimate buttons, attackers can deceive users into performing unintended actions. These actions can lead to significant risks, including data theft, financial fraud, malware infections, and damage to online reputations.

Organizations and website owners must take proactive steps to implement security measures and content security policies to mitigate the threat of clickjacking. Meanwhile, users should remain vigilant, use security extensions, and be cautious when interacting with unfamiliar online content to protect themselves from this type of cyberattack.

About BlackFog

BlackFog is the leader in on-device data privacy, data security and ransomware prevention. Our behavioral analysis and anti data exfiltration (ADX) technology stops hackers before they even get started. Our cyberthreat prevention software prevents ransomware, spyware, malware, phishing, unauthorized data collection and profiling and mitigates the risks associated with data breaches and insider threats. BlackFog blocks threats across mobile and desktop endpoints, protecting organizations data and privacy, and strengthening regulatory compliance.