Clickjacking, also known by names like User Interface redress attack, UI redress attack, UI redressing, is a common malicious technique used by attackers to create multiple complicated layers to trick a user into clicking on a button or link on another page when they intended to click on another page. Thus, the attacker successfully controls the user into clicking on a link from an external source, while ‘hijacking’ it from the original page. This technique has unlimited uses when it comes to user exploitation. For instance, such an attack can convince customers to enter their bank details into a third-party page that mirrors the original one.
What is Clickjacking
Clickjacking is a malicious activity, where malicious links are hidden behind genuine clickable buttons or links, making users activate a wrong action with their click.
A common and hugely destructive example of this technique could be when an attacker who builds a website that has a button on it that says “Click here for to enter the contest“. However, just beside the button, they put in an almost invisible frame that links to the ‘Delete all contacts’ of your Gmail account’. The victim tries to click on the button but instead actually clicks on the invisible button. Hence, the attacker has “hijacked” the user’s “click”, and hence the name Clickjacking.
In recent times, Clickjacking has made its way to popular services including Adobe Flash Player and Twitter. Some attackers altered the Adobe Flash plugin settings. By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer’s microphone and camera.
Talking about Twitter, clickjacking got into a Twitter worm. This attack was rather cleverly targeted to users, forcing them to retweet a location and spread it widely before Twitter stepped in to control the virus.
What is Cursorjacking
One kind of Clickjacking operates disguising the mouse cursor and convincing the user to replace his clicks to another location on the same page. A popular incident of Cursorjacking was discovered in Mozilla Firefox on Mac OS X systems using Flash, HTML and JavaScript code which can also lead to the spying of the webcam and the execution of a malicious addon allowing the execution of malware on the computer of the trapped user.
What is Likejacking
Apart from Cursorjacking, there have also been reported incidents of Likejacking. Made popular after the advent of Facebook into pop culture, this self-explanatory term means hijacking into the person into liking a Facebook page that he is not supposed to originally know about.
Clickjacking Protection Tips
X-Frame Options
This solution from Microsoft is one of the most effective against clickjacking attacks on your machine. You can include X-Frame-Options HTTP header in all your web pages. This will prevent your site from being placed within a frame. X-Frame is supported by latest versions of most browsers including Safari, Chrome, IE, but may have some issues with Firefox. The great part of using X-Frame is that it is extremely simple, but needs access to web server configuration and scripting language on the server.
Move elements on your pages
The attacker trying to place clickjacking on your web pages is unaware of the current locations of elements from your side. He can only place his infected elements based on the default settings. It is a good idea to try and move elements on your page; for instance, the attackers may intend to target the Facebook Like button. By moving that element to another location, you can easily detect when such an incident takes place. The only issue with this solution is that it is extremely hard for normal users to carry out.
One-Time URLs
This is a rather advanced method of protecting against clickjackers, who might be knowledgeable enough to surpass your basic filters. You may make the attack much harder if you include a one-time code in URLs to crucial pages. This is similar to nonces used to prevent CSRF but in unique in the way that it includes nonces in URLs to target pages, not in forms within those pages.
Framebuster Javascript
Another way of escaping the claws of a clickjacking attack is by checking the Javascript code to detect. This process is called frambusting
Clickjacking Prevention tips
Evaluate Email Protection
Installing and checking a strong email spam filter is one way of effectively detecting any kind of attacks on your accounts. Clickjacking attacks usually begin by tricking a user through email into visiting a malicious site. This is done by implementing forged or specially crafted emails that look authentic. Blocking illegitimate emails reduces a potential attack for clickjacking and a slew of other attacks as well.
Use Web Application Firewalls
Web Application Firewalls of WEFs are an important aspect of security in the case of businesses that have most of their data on the Internet. Some of these firms tend to ignore the need of one and end up getting attacked with massive clickjacking incidents. Recent data has shown that nearly 70 percent of all SMBs were hacked in some capacity in the last decade or so. It can take a huge burden off your plate, greatly reduces risks and costs less than the loss you might face.
Unfortunately, there is no perfect solution from preventing clickjacking, as attackers will eventually find ways to get through most of the techniques. Despite that, the most effective remedies against such attacks will be the X-Frame and the FrameBuster Javascript.