Cyberattacks take all forms imaginable and have become more varied over the years. Even the most internet-savvy individuals are shocked by how easily they can be tricked into sharing sensitive data or downloading malware. Some of the most devastating client-side threats involve a strategy that has been around for decades but continues to be among the most difficult-to-avoid issues: clickjacking attacks.
While the average internet user is usually unfamiliar with the term “clickjacking,” it's far more common than most people suspect. Understanding is the first step to preventing this widespread phenomenon, so we've compiled a thorough guide outlining what it involves, why it happens, and how it can be avoided.
As a leading type of interference attack, clickjacking occurs when hackers trick users into thinking they're clicking on 'typical' buttons or links — when, in fact, these users are actually clicking on something far more problematic. This is done when a webpage with malicious javascript is layered over the original site via an invisible iframe, fooling users into thinking all is well.
Frequently, this practice centers around fake links that lead users to dangerous websites. There, victims may find themselves downloading fraudulent apps or granting hackers access to confidential data. Simply put, this tactic hijacks the user's click — hence, the use of the term "clickjacking."
The Open Web Application Security Project (OWASP) describes this phenomenon with a scenario that may seem all too familiar: a link or button promises to help users score free mobile devices. On top of that promised page, however, is an inline frame that loads an extra HTML page.
In this specific example, a "delete all messages" function is strategically positioned above the button that is believed to send the user to the free mobile device. The result? While supposedly clicking that "free" button, the user instead clicks an invisible button with the command to "delete all messages."
This is just one specific version of clickjacking, but it's actually a quite varied attack strategy — and therein lies its danger.
Because clickjacking takes so many forms, it can be difficult for victims to identify. Be wary of these scams, which seem different, but all involve a clear effort to trick the user into taking unwanted actions online.
Another common term for the general phenomenon of clickjacking, "UI redressing" references the user interface that is redressed (or altered) to convince users to take actions they might otherwise avoid. A hidden overlay containing malicious javascript code then redirects these users. This invisible page method is utilized thanks to the iframes contained within certain websites. Visual subterfuge is the key, and, unfortunately, it's incredibly effective.
A top form of clickjacking in the social media age, likejacking is a Facebook-oriented version of the attack, in which users are tricked into "liking" scam accounts. Once the Like button has been clicked, this information is published on the user’s Facebook page, spreading the attack to anyone else who can see it.
Often referred to as session hijacking, cookiejacking allows malicious parties to obtain sensitive information via browser cookies. Users logging into online banking accounts, for example, could have their temporary session cookie data stolen and used against them.
Another form of session hijacking occurs when users click on email links seemingly sent by retailers — and then proceed to log in to their accounts. What they don’t know is that these links contain the session key data of the attacker, who has now just stolen user sessions and can access saved credit cards or other personal data.
An increasingly common issue for WhatsApp users, media file jacking involves a security flaw that allows malicious parties to manipulate files without the user's permission or even knowledge. This method leverages the realization that apps already installed on Android devices are able to rewrite files saved by various apps in external storage. From personal photos to audio messages and even payments, this manipulation can take many forms, making this one of the most alarming types of modern filejacking.
Centered around strategically designed cursor images, cursorjacking attacks force users to click on disguised buttons or links unintentionally — and despite their clear efforts to click elsewhere. As a result, these users may unintentionally find themselves visiting malicious pages loaded with harmful HTML, providing access to confidential data, or downloading malware. Some cursorjacking attacks can even lead to the unintended transfer of money.
Website visitors are often displeased to find themselves suddenly redirected to completely different pages, where stolen content is displayed. This is often the central subterfuge in a clickjacking variation known as pagejacking.
While Mozilla’s Firefox and Google’s Chrome web browsers have beefed up security in recent years, pagejacking still runs rampant. The practice is problematic, in part, because it involves reproducing content without express permission. Beyond this, however, pagejacking extends to the very code of the original page, so everything, from meta descriptions to keywords and even images, is fraudulently reproduced.
While this has long been a problematic strategy for blackhat (illegitimate) marketing, it can also have the undesirable side effect of leading unsuspecting users to pornographic pages. In another variation known as “mousetrapping,” users may encounter a never-ending series of pop-up windows that make it difficult to leave a particular page. No matter which forms these attacks take, business leaders are desperate to prevent them, given the hugely problematic implications for their hard-earned reputations.
Many people currently rely on sophisticated password managers to keep their most sensitive information safe. Unfortunately, the very managers charged with protecting users can be infiltrated. During password manager attacks, autofill functionality can be compromised or sensitive data could be obtained by attackers. Unfortunately, clickjacking risks have come to light for multiple password services — including, most notably, the popular password manager LastPass.
As we've touched on above, clickjacking can cause a world of trouble for everyone from internet users to webmasters and even heavily influential business leaders. The initial effects of these attacks range greatly but often include data breaches, malware downloads, and financial losses.
On the business end, these attacks can destroy the reputations of esteemed organizations. Customers want to know that the websites and applications they rely on are properly secured, but few issues damage this perception of cybersecurity quite like successful clickjacking attacks. Dismayed and disenchanted, targeted consumers are often quick to take their business elsewhere.
Clickjacking attacks are far from inevitable. Security solutions abound — and many are surprisingly easy to implement. When in doubt, a layered approach is preferable. This should encompass not only strategies specifically designed to combat clickjacking but also general cybersecurity measures that limit the potential for many other attacks.
Compromised plugins are some of the most common — and preventable — vectors for modern clickjacking attacks. Vulnerability scans provide crucial insight into which plugins are problematic while also highlighting opportunities for boosting general application security.
Ad blockers vary greatly in terms of cybersecurity efficacy, but some high-level solutions can be a valuable part of a comprehensive strategy. A few options purposefully incorporate anti-clickjacking solutions that prevent interaction with embedded elements deemed potentially harmful.
Frame busting is one of the most common strategies used to avoid clickjacking. This simple defense makes it impossible for websites to function if they are situated within iframes. Also known as frame killing, this technique can be useful if implemented correctly but is also prone to errors. Because it's easy to implement, however, this strategy is worth trying if you desperately need to gain that initial layer of protection.
As a common type of HTTP header security, X-Frame-Options determine whether pages can be placed in iframes. They can go a long way toward preventing any unwanted embeds from one site to another. Much of the appeal of this solution lies in its targeted nature; it was specifically developed as a prevention and mitigation strategy for clickjacking attacks.
Designed to restrict the types of resources that can be loaded, Content-Security-Policy (CSP) headers are used by browsers like Firefox and Safari to act as a gatekeeper against malicious JavaScript and other forms of code. These headers can be used to prevent cross-site scripting (XSS), a main culprit in several clickjacking attacks.
Education can be one of the most powerful forms of prevention. Often, targeted users or employees are simply unaware that they could be at risk. Web security should be thought of as a team effort, with clickjacking defense training sessions implemented on, at minimum, an annual basis.
While the targeted strategies outlined above can prove valuable, general cybersecurity practices are just as important. Often, the most basic initiatives are also the most impactful for preventing not only clickjacking but several other types of attacks as well. Simple solutions to keep in mind include:
Use strong passwords or, better yet, multi-factor authentication.
Take care when clicking links — especially those that seem too good to be true.
Keep all software up to date, including any add-ons.
More caution is always better, so avoid any websites or links that seem even vaguely suspicious.
Clickjacking may be a uniquely diverse and difficult-to-detect strategy, but prevention is more easily attained than you might think. The right resources can make all the difference. Look to SiteLock for the far-reaching protection and peace of mind you require. Our comprehensive website security plans include many invaluable features, including:
Malware scanning and removal. As the basis of any effective website security strategy, scanning provides swift and valuable insight into security threats. Automated scanning solutions should reveal the early signs of clickjacking, allowing you to respond before the problem spirals out of control.
Vulnerability patching. Scanning is only the first step. Once vulnerabilities have been detected, they must be addressed quickly to prevent clickjacking and other problems. SiteLock offers not only malware removal but also vulnerability patching. This incorporates individual security patches for CMS applications and remediation for database-driven websites.
Web application firewalls (WAF). As one of today's most robust forms of digital protection, web application firewalls identify and block access to backdoor files. They also use advanced behavioral analysis to differentiate between malicious traffic and authorized visitors.
If you have any questions, don’t hesitate to contact our cybersecurity experts.