What is clickjacking? How to prevent clickjacking attacks
Clickjacking attacks – also known as UI redressing or UI redress attacks – remain prevalent. In this article, we explain what clickjacking is, how it works and how you can prevent it.
Clickjacking meaning and definition
Clickjacking is an attack that tricks users into thinking they are clicking on one thing when in fact, they are clicking on something else. Essentially, unsuspecting users believe they are using a webpage’s usual user interface when in reality, attackers have imposed a hidden user interface instead. When users click on buttons they think are safe, the hidden user interface performs a different action. This can cause users to inadvertently download malware, provide credentials or sensitive information, visit malicious web pages, transfer money, or purchase products online.
There are different variations of clickjacking attacks and because of that, the terms ‘user interface (UI) redressing’ or ‘UI redress attacks’ are often used to encompass different variations.
How does clickjacking work?
Clickjacking is made possible because of HTML frames or iframes – i.e., the ability to display web pages within other web pages through frames. Essentially, an iframe is a frame within a frame. Iframes enable you to embed content from other sources onto your webpages. For example, when you visit a website that has an embedded YouTube video displayed, that video exists within an iframe.
Users then navigate the web page, expecting links and buttons to work normally. But the hidden UI means the attacker’s script works instead. The attacker’s script can work behind the scenes to make it appear as though nothing is wrong. This makes a range of malicious actions possible, including:
- Installing malware
- Stealing credentials
- Activating your webcam or microphone
- Making unsolicited purchases
- Authorizing money transfers
- Identifying your location
- Boosting click stats on unrelated sites
- Boosting ad revenues on sites
- Gaining likes on Facebook or increasing views of YouTube videos
This isn’t an exhaustive list. Because user interfaces can be cloaked with any kind of link, the destructive options are extensive
It’s also important to remember that clickjacking isn’t just about mouse clicks. Using a combination of stylesheets, text boxes, and iframes, an attacker could fool an unsuspecting user into thinking they are typing in their password on their online banking site, when in fact they are typing it into a site controlled by the attacker.
As with other forms of cybercrime, clickjacking attacks often rely on some form of social engineering to direct the targets to the compromised or malicious site. This might be an email, a text message, a social media post, and so on.
Types of clickjacking attacks
Likejacking tricks social media users into liking things they didn’t intend to. For example, the attacker’s Facebook page might be embedded in the invisible iframe which means the user doesn’t realize that in reality, they are actually clicking the attacker’s invisible ‘Like’ button.
Cursorjacking changes the user’s cursor position to a different place from where the user perceives it. A typical cursorjacking attack replaces the actual cursor with a fake one, using an image, and offsets it from the location of the real cursor. As a result, the user believes they are making a particular action while they are really making another one. When the victim clicks an intended element with the fake cursor, the actual cursor clicks a malicious element. The real cursor may remain visible in a cursorjacking attack, although efforts are made to focus the victim’s attention on the fake one.
Cookiejacking is a UI redress attack that steals the victim’s cookies. Once the attacker obtains the cookies, they can access the information they contain and use it to impersonate the victim. This is typically achieved by tricking the victim into dragging and dropping an element on the page. What they are actually doing is selecting the contents of their cookies on the embedded invisible page and handing that over to the attacker. The attacker can then perform actions on the target website on behalf of the user.
Filejacking allows the attacker to access the victim’s local file system and take files. For example, when you upload a photo to social media, a file browser window appears and you can navigate your file system. In a filejacking attack, clicking the ‘Browse Files’ button (or however your browser labels it) establishes an active file server, potentially giving the attacker access to your entire file system.
In 2022, it was reported that a security researcher claimed to have discovered an unpatched vulnerability in PayPal's money transfer service that could allow attackers to trick victims into unknowingly completing attacker-directed transactions with a single click. The researcher found that attackers could embed a malicious endpoint inside an iframe, which could cause a victim already logged in to a web browser to transfer funds to an attacker-controlled PayPal account simply on the click of a button. This could also have disastrous consequences in online portals that integrate with PayPal for checkouts, since if left unpatched, the malicious actor could deduct arbitrary amounts from users' PayPal accounts.
In 2017, a type of malware known as Svpeng was going viral. Svpeng initially appeared in 2013 to steal banking details from Android device users. Once it was downloaded onto a mobile device, it clickjacked user data, but the problem went deeper than that. Once the malware gained access to Administrator privileges, it could choose which overlay screens to use, send and receive SMS text messages, make phone calls, and read contacts.
The malware then sent screenshots and other material hijacked from the device back to a Command-and-Control server operated by the hackers. This included contacts, installed apps, call logs, and SMS texts, and wasparticularly problematic because banks typically send verification codes to users via SMS texts. Within a single week, Svpeng had spread across 23 countries.
There are no perfect defenses against clickjacking. Most of the steps need for clickjacking defense need to be carried out by webmasters. But there are actions individuals can take to reduce their risk, including:
Watch for emails claiming to address an urgent matter
One of the most common ways clickjacking software gets on devices is through targeted emails. Unfortunately, in a world where hackers have stolen billions of customer accounts with contact details, it only costs pennies per account for cybercriminals to buy this information. The likelihood of cybercriminals having at least your email account on file along with its associated bank is high.
Watch out for emails that arrive in your inbox claiming to address an urgent matter requiring your attention. These emails require you to click a link, and that link could take you to a website that looks identical to your banking or other official website to fool you into downloading the latest version of the institution's app or filling out profile information.
Do not download any suspicious apps
If the goal of clickjacking is to get you to download an app, the app is probably malware that captures and steals all your credentials. In other cases, the website itself could be the source of the malware that sneaks onto your device. Regardless of how it happens, the malware presents false input layers for you to fill out. Stay vigilant by not downloading any app you are unsure of. Always download apps onto devices through authorized app stores. The official app stores have both software agents and human beings working to weed out malware and inappropriate content.
Avoid clicking on too-good-to-be-true Google or Facebook ads
It's important to avoid clicking on ads on search engine results pages or social media that appear to offer something too good to be true or promote news or stories that seem out of the ordinary. In some cases, clicking on these items could take you to a website that downloads clickjacking software onto your computer. Instead, look for the news on an alternative channel, such as a reputable, long-standing news source. If the news is real, it won't be hard to find on valid outlets.
Install anti-clickjacking browser extensions
- Scriptsafe for Chrome
- NoScript for Mozilla Firefox
- JS Blocker for Safari
Use a robust antivirus
To protect yourself against cybercrimes, including clickjacking, it’s strongly recommended to use a comprehensive antivirus. A quality antivirus should work 24/7 to secure your devices and data, blocking common and complex threats like viruses, malware, ransomware, spy apps and all the latest hacker tricks.
It’s important to stay vigilant against clickjacking attacks. Fortunately, most browsers these days have built-in protection against clickjacking, either by blocking malicious websites or warning users that they are about to access a potentially dangerous site. By practising cyber hygiene and avoiding online service providers that offer free or pirated services, it is possible to stay safe against clickjacking.