What is clickjacking and how to protect yourself?
Clickjacking, also known user interface redressing, is a relatively new malicious technique that involves tricking users into clicking hidden links on a transparent layer. For instance, a user may encounter a pop-up message of appears to be a video. Upon clicking the “play” button, however, he or she unknowingly downloads malware. Other common clickjacking scenarios include fake CAPTCHAs, fake viral news, fake update-your-software message boxes and fake personal messages.
It’s called “clickjacking” because it hijacks the user’s clicks, essentially redirecting the user to a URL that he or she did not intend to access.
Normally, you can see the full destination URL of a link in your web browser before clicking it. And if it looks suspicious, you can err on the side of caution by not clicking it. With clickjacking, however, the URLs are hidden on an invisible layer — typically as an iframe — over the content. So, when you attempt to click the content, you actually click the invisible iframe with the hidden link.
Threats posed by Clickjacking
Clickjacking is used for many nefarious purposes, some of which include the deployment of malware and viruses, social media manipulation, advertising schemes, harvesting of personal information and more. Any cyber threat that can occur from a clicked link can also occur from clickjacking.
Perhaps the most common type of clickjacking involves hiding a Facebook “Like” button on an invisible layer. Known as “likejacking,” the user clicks what appears to be a video, news article, etc., but this actually clicks the “Like” button. As a result, the individual behind this scheme has just gained another Facebook follower.
While unknowingly following another user on Facebook may sound harmless enough, some likejacking schemes such as this go one step further by harvesting users’ personal information as well. Once you begin following the user’s page, for instance, they may use scripts to automatically pull information from your profile, which they can either use for advertising purposes, identity theft, or to sell on the black market.
Another common clickjacking scheme involves hiding cost-per-click (CPC) ads on an invisible layer. CPC advertising platforms like Google AdSense pay publishers a small fee for every click they drive. In an effort to artificially inflate their clicks and generate more ad revenue, however, some of these advertisers use clickjacking. The user unknowingly clicks the ad, generating revenue for the advertiser.
In 2011, the U.S. Department of Justice (DOJ) filed charges against seven individuals for a massive $14 million clickjacking scheme. According to the indictment, users were redirected to ad-supported websites operated by the defendants; thus, resulting in one of the largest clickjacking schemes to date.
Of course, clickjacking is also used to deploy malicious software. In 2015, cybersecurity experts and Skycure co-founders Adi Sharabani and Yair Amit announced a new type of malware affecting nearly 65% of all Android devices. Known as “accessibility clickjacking,” it uses traditional clickjacking schemes of hidden layers to entice users to download malware. Once deployed, however, the malware gives hackers full access to the device, including text messages, email, contacts, settings, apps and more.
How to protect against clickjacking
As long as you are using a modern, GUI-based web browser, no method is 100% effective at preventing all forms of clickjacking. Firefox, Chrome, Opera, Internet Explorer and Edge all support the use of multiple layers on websites, some of which can be invisible.
While you can always switch to a non-GUI web browser, there are other, more practical steps you can take to protect yourself from clickjacking schemes. First and foremost, keep your web browser and all associated plugins and add-ons up to date. Hackers may exploit vulnerabilities in outdated web browsers, allowing them to target you with clickjacking schemes.
There are certain tools that can protect against clickjacking and other scripting schemes. NoScript, is a free-to-use Firefox add-on that automatically blocks malicious scripts and iframes. For Chrome, the Clickjacking Reveal add-on notifies you of any clickjacking schemes it detects. Running either of these programs will greatly reduce your risk of falling for a clickjacking scheme.
Taking a cautious approach when clicking buttons can also help to prevent clickjacking schemes. If you receive a Facebook message containing an obviously fake “viral” news headline, it could be a clickjacking attempt. The same applies for pop-ups featuring what appears to be a video player with a large “Play” button in the center. Don’t let your curiosity get the best of you. If you are skeptical of a pop-up, message or other content on a website, avoid clicking it.
Furthermore, webmasters can implement measures to protect visitors from clickjacking schemes. Using the X-Frame-Options HTTP header tells visitors’ web browsers not to allow iframing from other domains. Because most clickjacking schemes involve iframes, this is an effective server-side measure to protect against such schemes.
There’s no foolproof method to prevent clickjacking. However, the safeguards mentioned here will help reduce your risk of being tricked into clicking hidden links.
