Clickjacking is a type of malicious online activity that cybercriminals use to target Internet users. It is a technique whereby a user’s inputs on web pages are manipulated, causing them to perform potentially harmful actions without their knowledge.
How does clickjacking affect security?
Clickjacking is used for a variety of different criminal activities, such as malware attacks, account hacking, identity theft, and more. Falling victim to clickjacking can result in data theft, financial losses, malware outbreaks, and potential reputational damage depending on the case of unauthorized access to personal accounts. As such, it’s advisable to understand and remain vigilant against the threat clickjacking poses during browsing sessions.
How does clickjacking work?
As we’ve touched on, clickjacking usually involves deceiving users into clicking on a hyperlink without their knowledge.
In a typical example clickjacking attack, a criminal will embed links to a hidden site on a seemingly legitimate decoy webpage, placing an invisible overlay over actual page content. This is often done using invisible iframes (inline frames), an HTML element that allows loading one HTML page within another. When users of that site click on what looks like a genuine link, they are then sent to a malicious page where they may be prompted to download malware or provide sensitive personal information. Additionally, links can be hidden behind other elements to cause users to complete certain actions, such as completing a product purchase, against their knowledge.
Clickjacking can also come in different forms, including the following:
- Filejacking: When criminals use a website’s upload function to deceive users into uploading files.
- Cookiejacking: When criminals use a UI redress to gain unauthorized access to their victims’ cookies.
- Cursorjacking: When criminals use UI redressing to move a user’s cursor to a different position, causing them to perform an unintended action.
- Likejacking: When criminals manipulate the “Like” button on a social media platform, resulting in users “Liking” pages they didn’t intend to.
How to prevent clickjacking?
Any webpage that is open to being embedded, so website developers and administrators use various measures to stop clickjacking.
Framebusting is a widely used method of clickjacking prevention used by site devs. Websites can automatically disrupt pages loading in iframes using frame-busting scripts to stop clickjacking attempts.
Additionally, using the X-Frame-Options HTTP header, site admins can assert control over what can be embedded within iframes. Specifically, the DENY option can prevent clickjackers from embedding malicious links.
How to avoid clickjacking?
To avoid clickjacking, it’s useful to know how to detect it. To identify clickjacking attempts, you can do the following:
- Check for inconsistencies in your cursor position
- Watch out for unintended actions on your online accounts
- Monitor your browser’s URL bar to check it matches the intended site
To conclude, clickjacking is a genuine danger to online security and is utilized by cybercriminals for various malicious purposes. Though site devs and admins can combat clickjacking through framebusting scripts and X-Frame-Options, it’s advisable to stay vigilant against clickjacking by verifying site URLs, taking caution when clicking on links, and using security software wherever online.