What is Clickjacking?
How many times have you been redirected to a page you did not intentionally click on? Pop-ups, pages containing obscene images that randomly open up WebPages you didn’t click on; all fall under the category of clickjacking. ClickJacking, also known as UI redress attack, is when an attacker employs the use of transparent layers to trick the user into clicking something rather than what they see. User interface redress attack, much like its name seeks to cover the intended target of click using opaque layers, so the user thinks he/she is clicking something when in reality they are being tricked into clicking something else entirely.
The purpose is not only to seek control of user’s files and computer by redirecting them to malicious pages but also attempt to gain more information by keystroke tracking or enabling flash to turn on said user’s webcam without knowledge. ClickJacking is also the reason behind auto-generated tweets that direct your followers to a dodgy web page when clicked – something most of us have been victims of. Therefore, there is a dire need for understanding the cyber security tips being discussed in this article to remain on the safe side.
Impact
Without taking into consideration any internet security tips, the impacts can be catastrophic. The harmful consequences of Clickjacking are not only confined to clicking on pages unknowingly but rather the leak of personal information. The failure to know what you’re allowing by clicking can have numerous, adverse impacts on not only your computer but also personal information. When a click allows the attacker access to your webcam feed, it is not only a breach of privacy but can also lead to the leak of otherwise sensitive and confidential information. Widespread usage of iframes has led to thousands of user lose access to their Gmail and iCloud accounts.
Examples
Clickjacking is one of the easiest and common attacks on the internet; almost every user has been a victim of a Clickjacking scam. Whilst browsing on the internet, it is fairly common to see advertisement such a ‘click here for a free iPhone’, the catch is, what a user interface redressing does is that it allows the attacker to hide layers under the apparent advert that the user sees. So under the free iPhone pop up, there is actually an invisible button which might lead to you cause harm to your computer.
Alternatively, attackers could use iframes to hijack keystrokes; meaning, the frame could look like actual Gmail frame and page, but it is actually an attempt to track your keystrokes in order to steal valuable information such as passwords and credit card details.
Another very common example is tricking the web surfer to click on something that enables their webcam and microphone to come on without their knowledge, leading to an intrusion of privacy and much more.
How to fix it
For a web developer, ensuring strong safeguards against cyber-attacks is of utmost importance. To prevent a clickjacking attack, add-ons can be installed in browsers. For example, for a Mozilla Firefox user, a No-Script add-on can be installed as a protection against Clickjacking. This is a pretty useful internet security tip.
Another external application known as GuardedID forces all frames to become visible. Similar add-ons and applications include Framekiller and Gazelle. This is also one of the mostly applied mobile phone security tip.
Recent attacks
Facebook YouTube video:
Facebook has decided to take Clickjackers that seek to increase the popularity of their page by generating ‘fake likes’ to court. One of the latest Clickjacking attacks was on Facebook, where a video on a website called YouTube was shown, however, clicking on said video led to invisible Facebook Like of the content.
One of the most common ways is to sensationalize something, advertising things falsely as ‘exclusive content’, ‘world news’ and most commonly fake celebrity gossip!
Google Adsense Abuse:
Ad fraud undermines the sanctity of the advertisement industry’s usefulness. The fraudulent website generates fake clicks on an advertisement that in turn generate millions in revenue. Attackers use clickjacking to malvertise by using ad bots to create thousands of impressions a day. Google, has installed safe gateways and safeguards that redirect the bit to google before the false impression on the advert. The latest one being users being redirected to a bogus adult website that has hidden layers, every time the user clicks on the site they are in turn clicking on the advert!
Conclusion
One of the most common attacks, ClickJacking is used for little things such as gaining likes on a Facebook page, views of YouTube videos, promotional tweets etc. Alternatively, it is also used to install malware on the user’s computer to gain access to other computers and files. ClickJacking thrives on the fact that most us are already logged into our respective Amazon, eBay, and Gmail accounts, they use this to their advantage.
Therefore, one of the most useful cyber security tip and one also ensures your social security by protecting your accounts, is to stay alert, avoid dodgy websites and look closely for no matter how hard the attacker tries, iframes don’t always look like the original.