Anyone whoâs been active online has seen ads that pop-up enticing us with free offers, either for a trip or a new phone. While weâve seen those ads pop up, what we canât see is that on top of them is an invisible channel that redirects to our bank account without us knowing.
Thatâs what clickjacking does. Itâs a method to trick us into taking action online without our knowledge. Instead of getting that free trip or phone, youâll find that a large chunk of your bank account has gone away.
While thereâs little to be done after the fact, you can take measures to protect yourself from falling victim to clickjacking in the first place. Many web browsers have gotten wise to clickjacking methods and have put protections in place for their users. Thatâs a step in the right direction, but you can do more to ensure youâre protected further.
Some methods are simple. Donât stay logged into your bank account or browse while itâs open. Logging out of sensitive sites every time you use them also helps. Other methods are more complicated and require you to use preventative software to protect yourself.
In this article, weâll go over the ins and outs of clickjacking so youâll know what it is, what it does, and most importantly, how you can protect yourself.
What Is Clickjacking
Clickjacking is a hacking technique that tricks you into clicking something on a page thatâs disguising a malicious, illegitimate action instead. Also known as UI (or user interface) redressing, it refers to how hackers hide their intentions by making the page look like something else.
The transparent element on top of the page can then interact with your computer or open browser pages without your knowledge or consent. Despite you not being aware this action is occurring, to the outside world, it looks no different than your deliberate online activity. That makes it more difficult to detect and more difficult to repair in the cases where money was transferred without your knowledge.
How Does Clickjacking Work
UI redressing functions by hiding the interface thatâs actually in control of the web page. This works due to the HTML frames responsible for much of web development. They allow the web page to display itself within a frame and hackers exploit that by adding CSS or JavaScript elements to it.
Adding these elements allows the page to appear safe and tricks users into visiting it by mimicking a site they trust. There is no way to tell there is a hidden element on top of it, and they interact with the page as normal. Visitors to the site, not realizing theyâre vulnerable, interact with the site believing they are safe. It wonât be until later that they become aware their information was accomplishing nefarious purposes.
Clickjacking or UI redress is never the main goal. Instead, itâs a tool to achieve a different attack. They can vary in severity, whether theyâre trying to steal your bank information or install malware, or simply boosting clicks on other sites or likes on Facebook.
The Dangers of Clickjacking
Clickjacking ranges from the highly dangerous to the mildly annoying. On the safer end of the spectrum, your credentials are used to boost likes or views on social media. It can also spread viruses on social media or increase clicks on ads, costing businesses ad revenue.
What more directly affects you is when clickjacking:
- Steals your login credentials
- Activates your computerâs webcam or microphone
- Downloads malware to your device
- Accesses your bank account to pay for something or transfer money
Since clickjacking doesnât leave as many traces that fraudulent activity occurred, it makes it more difficult for you to dispute anything. Thatâs particularly bad for cases where money was transferred from your account.
Other Forms of Clickjacking
Clickjacking is used to accomplish a variety of goals, which have taken on their own sub-identities.
Likejacking
Likejacking exists primarily on social media and gets its name because of its associations with Facebook. It manipulates Like buttons to falsely increase a postâs popularity by tricking users into âLikingâ pages they had not intended to.
Cursorjacking
Cursorjacking alters your cursorâs position from where youâre seeing it so that itâs somewhere else. Instead of tricking you into clicking something yourself, it guides your hand to do it instead.
This has become less common as browsers have taken measures to prevent it. It maintained some use with Firefox and Adobe Flash before the issue was resolved.
Browserless
This variety of clickjacking primarily targets mobile devices and hijacks dialog and alert notifications. It doesnât require a browser, which is where its name comes from.
Cookie Jacking
Cookie jacking, or session hijacking, is used to steal your browser cookies. This allows the hacker to access any applications on your computer because the cookies indicate they have permission to do so. They can use it to steal data, access bank accounts, or for identity theft purposes.
File Jacking
File jacking tricks the user into connecting their browser to their server to establish access to your files. This sets up an active file server connection on your web browser to steal files with sensitive documentation in them.
Clickjacking Prevention: The 101
Although there is no complete protection against clickjacking, there are methods you can do to lower your risk of falling victim. Protections against clickjacking take two main forms and are broken down as either client-side or server-side protections.
Client-side Clickjack Protection
Simply put, client-side protections use software to prevent you from clicking on invisible page elements. These take the form of browser extensions that protect you as you exist online. They disable invisible frames or âredressedâ elements so that you wonât be affected. They do so without interfering with the iFrames that are legitimate and keep the page running.
Which extension you get will depend on which browser youâre using. The common list of extensions are:
- Scriptsafe for Chrome
- NoScript for Firefox
- JS Blocker for Safari
- Opera for Microsoft Edge
Browser extensions are generally free to use and available in your browserâs app store.
Server-side Clickjack Protection
Server-side clickjack protection is done on the website itself to prevent it from being used as the basis of a clickjacking attack. The websites themselves are unaffected, since a frame is placed on top of it, but it harms the siteâs reputation if it leaves visitors vulnerable. To prevent this, you can disable framing to prevent fraudulent frames from being added to your site.
Enabling these protections will keep your customers safe so they can browse in peace on your site. Not only is that good practice for everyoneâs internet health, but it also ensures your site maintains a positive reputation.
Server-side protection limit what the site can access to display pages and information online. By preventing third-party or unsourced frames from appearing on the site, you can block any hackers from using your site to target people.
There are three main ways this can be done.
X-Frame Options
X-Frame Options determines how browser pages should be wrapped. They can do so using either frame, iframe, or object tags. You can allow your site to choose from three methods:
- Deny, which wonât let the browser display pages in frames.
- SAMEORIGIN, which only allows the browser to display pages from your current domain.
- ALLOW-FROM tags that specify which sources frames can be displayed from. Youâll add the channel within the text to specify where the site can access frames.
Content Security Policy
The content security policy is more hands-on than X-Frame Options. You can whitelist certain domains to allow them to embed pages into your site. This gives your site access to different fonts or scripts to load and use on your site while protecting it from clickjacking.
Frame Killing
Frame killing is a little outdated but was very common for older browsers. What you did was include frame-killing Javascript into pages that you thought were vulnerable to clickjacking. It was easy to set up and blocked harmful frames from taking control of your site.
Clickjacking: A Danger that Can Be Stopped
Clickjacking canât be entirely stopped but you can do a lot to protect yourself. In some cases, changing your log-in information or logging out of sites between uses will help curtail any fraudulent efforts. Taking additional measures to download extensions will only further protect you and keep your online identity safe.
Companies and business owners can take their own measures to design their sites with protection in mind. Blocking your site from allowing outside frames will stop clickjackers from accessing your site for any nefarious purposes.
Once youâve fallen victim to clickjacking, there isnât much you can do to fix the damage. From an outside perspective, itâs difficult to tell which activity was fraudulent and which was not. Prevention is the best way to save yourself the trouble. Fortunately, weâre better equipped than ever to prevent hackers from accessing our information. We only need to take the steps to keep ourselves safe. Understanding the issue and following these steps is the first thing to do to protect yourself.
And since we’re clicking with this topic, you might also want to check out click fraud, a multi-billion dollar issue ClickGUARD deals with. đ