You’ve probably visited a website, clicked on a button, but received an unexpected response.
Let’s say you clicked on “Play Video" on a website. Instead of the video starting, you were redirected to Amazon.
What just happened? That’s clickjacking in action.
What Is Clickjacking?
Clickjacking is an attack that hijacks the user interface (UI) of a website and overlays it with an iframe that tricks web users into clicking a link or element (like a button) they didn’t intend to click. The vulnerability in the user interface manipulates a user's activity by concealing hyperlinks beneath legitimate clickable content, thereby causing the user to perform actions of which they are unaware.
For example, let’s say you clicked on a button that says “Log In," but instead of logging in, it's performing an entirely different action—like taking you to a YouTube link.
In most cases, you—the web user— have no clue what's happening behind the scenes when clickjacking is in progress because of the original and malicious links’ UI.
Clickjacking is also called UI redress attack because the attack tampers with the user interface of the exploited website.
Related: What Is Click Fraud? About The $44 Billion Industry of Fake Clicks
A recent clickjacking case occurred on Jotform’s log-in page. Luckily, a user discovered and reported it before a massive attack.
According to the vulnerability report, the server didn’t return an X-frame-options header, which means Jotform falls at risk of an impending clickjacking attack. The impact of this attack could lead to stolen Jotform's customer data that could be used for a phishing site.
How Does Clickjacking Work?
Let’s say you visit a website offering a free iPhone 13, and there’s a button on the page that says “click to win.” There are multiple unimaginable places this link could lead.
In this case, the attacker's intention might be to take you to a Facebook-like site. Once you click the button, you automatically log into your Facebook account and automatically like the page without your knowledge.
Other instances could be your email password or other personal details unwittingly linking to another website.
A good example is a famous clickjacking attack against the Adobe Flash plugin settings page.
This attack allowed the hacker to control what the user clicks on the page without the users’ knowledge. In some instances, users report clicking on a different setting and seeing their microphone come on. Others report visiting misleading websites though they used the right link.
Hansen, CEO of SecTheory.org says, “it’s almost impossible for users to decide what’s going to happen when they click on a link.”
Meanwhile, clickjacking goes beyond exploiting one part of the system. Adobe's vulnerability depends on several factors, including browser vendors.
Jeremiah Grossman, the co-founder of Whitehat Security, made this clear in his statement on Adobe's clickjacking attack: "Everyone including browser vendors, Adobe (plus other plugin vendors), website owners (frame busting code) and web users (NoScript) all need their solutions to assist in case the other doesn't do enough or anything at all."
In addition, hackers in clickjacking exploits can go as far as hijacking user keystrokes on their computers to gain access to their accounts. By cloning the original website, using the exact iframe and texts, hackers can trick users into typing their login credentials on a scam website—and in this case, bank log-in pages have the most attacks.
Testing How Clickjacking Works In Real Life
Let’s test this out by searching for a “win free iPhone 13 pro max” on Google. As expected, we land on this result with a sketchy web address:
https://iphone-11-por-giveaway.blogspot.com/2021/09/iphone-13-pro-free-giveaway.html
The enter now button clearly shows we'll receive a free iPhone 13—but upon inspection, we find something else. Using the Google Chrome browser, I inspect the code behind it.
On the “ENTER NOW” button, there’s a different URL taking me to another website.
This new website link is https://smarturl.it/Win_Apple_iPhone—that’s not the original address of this website.
Following this link, I got constant redirect loops for about 10 seconds, with one being this dodgy and not secure website.
After the redirect stops, this is the final page:
What I found on this page is different from what the original link initially claimed. Unknown to most users, following these links leads to an endless redirect that takes you to Facebook—back and forth as much as the hacker wants. There's a high chance of revealing your details to an unknown hacker.
Some other clickjacking attack risks include:
- False product purchasing
- Offering fake social proof
- Downloading malware
- Location hack and exposure
- Unauthorized wire transfer
Related—The Complete Guide To Ad Fraud
Types of Clickjacking Attacks
Several types of attacks can be classified as clickjacking. Overall, they fall into 2 niche categories, namely:
- Overlay-based clickjacking attacks
- Non-overlay-based clickjacking attacks
Overlay-based Clickjacking Attacks
These are clickjacking attacks that are embedded in invisible iframes on a website. In these attacks, the term "overlay" means the hacker hides the original action behind an invisible iframe.
It’s easy to hide these attacks, so they’re the most popular clickjacking techniques hackers use.
Below are some of the common techniques in overlay-based attacks:
1. Cropping
This attack overlays the only selected part of the original control on a website by "cropping" it out and leaving the user with a limited view. Let's say you're on a website showing you two options, "Allow” and “Cancel," but it's covered with an iframe with an option that says, "What’s your name?”.
In this case, you can see the original option behind the iframe, but you can't access it because it is cropped out and replaced with a different one. Simply reloading a few times or blocking javascript is more likely to fix this if you ever run into this issue.
2. Hidden Overlay
This is the earliest form of clickjacking and the first discovered. The hidden overlay technique involves creating a 1x1 pixel iframe containing the intended attack and hiding it directly beneath the cursor.
A 1x1 pixel iframe is incredibly small and often overlooked, so the chances the user sees it are low. This makes them unknowingly click the iframe, which redirects them to the malicious page prepared by the attacker.
Here’s an example of a 1x1 pixel:
3. Complete Transparent Overlay
This is the attack used on Adobe's flash settings page we discussed earlier. The complete transparent overlay attack uses a technique that overlays an exact malicious replica of the iframe on the original one—but with a different action.
For this, users can click on the “Turn Off Mic" option, and instead, the action reroutes a different action, e.g., turn on their webcam. This is one of the most dangerous techniques in clickjacking. The action behind it can go as far as an account take over, especially with bank logins.
4. Click Events
The hackers deploy a malicious page directly behind the original page for this attack but change the click events. By setting the CSS pointer-events property of the top of the page to none, all click events will register on the malicious page rather than the legitimate page.
With hackers having the click event of users during their session, a keylogger attack can easily be launched, and personal data, such as login information, can be stolen.
Non-overlay-based Clickjacking Attacks
These types of clickjacking attacks don't hide under the original iframe—instead, they completely change the iframe of the main content. Below are some of the techniques used in non-overlay-based attacks:
1. Rapid Content Replacement
This attack monitors your click movement and pattern before intercepting. Using the rapid content replacement attack, hackers let users browse freely on the website right until they're about to click on an iframe, and they "rapidly” replace the content with their malicious content.
This attack is fully hidden from the user, and only an impending click action can trigger it.
2. Drag-and-Drop
This type of attack changes the intent of action on the main page from "click" to "drag."
A good example is a website that requires you to click the "upload” button to upload your personal information into their database.
The "click" option won't work with the drag-and-drop attack unless you "drag and drop" the required file. Once you do this, you've given the hacker access to your file unbeknownst to you.
3. Repositioning
The repositioning attack is an additional step in the rapid content replacement attack. In this attack, the hacker moves the UI element directly under the mouse and immediately detects what the user is about to click.
4. Scrolling Attacks
This attack involves the hackers partially scrolling off some key parts of the page's main content. In this case, the user only sees some parts the hackers want them to see.
An example is when the hacker scrolls off the main element that takes users to their dashboard and leaves only a section containing the attack showing on the user's screen. This attack will be masked with a legitimate iframe like “Log In” or “Submit Request" —meanwhile, the action of this request goes directly to the hacker.
Examples of Clickjacking Attacks
Classic
A classic clickjacking attack is when a hacker embeds malicious codes in an invisible iframe of a legitimate website to manipulate what the user's cursor clicks on. An example: A user is watching YouTube videos, but underneath, there's an invisible iframe amazon "purchase" button that triggers a purchase on the Amazon store. Once the user clicks on the “play” button on YouTube, they immediately get rerouted to Amazon for a purchase they never made.
Like-Jacking
This is a clickjacking attack that tricks users into performing actions on websites that eventually leads them back to drop a like on various social media platforms. The term “like-jacking” was coined by Corey Ballou after dropping a comment in the comment section of "How to "Like" Anything On The Web (Safely).”
Say a user visits a website looking to move to the next page, but instead, the “Next” button is embedded with an invisible “Facebook-like" iframe that leads to them a fan page on Facebook.
Cookiejacking
This UI redress attack involves "jacking," i.e., stealing the user's cookie during a browser session. A common approach to using this attack is tricking the user with the drag-and-drop technique. Once this is achieved, the hacker can easily impersonate the user with all their information.
Cursorjacking
Cursorjacking is an attack where hackers change the location of a user’s cursor from where it’s perceived to be. In this case, when the user is clicking "top," they're clicking perhaps "bottom" or "left" but not what they intend to click.
Filejacking
Filejacking involves hackers exploiting the browser's ability to access files on a computer.
In this case, websites that allow file uploads are mostly attacked, and the malicious code is embedded in the "browse files" button. Once a user clicks this, the hacker immediately has access to the files on the computer.
How to Prevent Clickjacking Attacks
The prevention of clickjacking attacks depends on two sides:
Client Side
The client side refers to clickjacking attacks happening on the browser side. Some common ways to prevent a UI redress attack on the client-side include:
1. Installing NoScript Add-On
The NoScript add-on prevents users from clicking invisible or "redressed" page elements. Unfortunately, this add-on is only supported on Mozilla Firefox.
2. Installing NoClickjack Add-On
The NoClickjack add-on forces all iframes on the web page to be visible. It is supported by Google Chrome, Mozilla Firefox, Opera, and Microsoft Edge.
3. Use Intersection Observer API
The intersection observer API takes on the technique of acting like a human in tracking the visibility of elements on a web page. With this, when a widget is framed or hidden, it'll automatically know. Currently, this API is only supported on Google Chrome.
Server Side
Clickjacking attacks on the server side occur on the website's server before a user visits the website and interacts. Below are 2 ways to prevent a server-side clickjacking attack:
1. Frame Killer
This is a javascript code snippet web owners use to prevent their web pages from loading within a frame.
2. X-Frame Options
The X-frame option is an HTTPS response header that protects websites against clickjacking by determining whether a page can render within an iframe.
There were 3 commands in this response header that communicates with the browser:
- DENY: Disallow all websites from framing content.
- SAMEORIGIN: Allow all current websites to frame content — and exclude external websites.
- ALLOW-FROM: Allow framing of content from specified URL(s).
On A Final Note
Clickjacking is one of many attacks capable of crippling your website and going as far as stealing access to your personal information.
With attacks like filejacking, hackers can take your private document and use it for all sorts of impersonation that can damage your reputation and even your finances.
The UI redress attack effects are also in programmatic advertising, as advertisers and publishers are likely to lose revenue when their clicks are jacked through malicious ways.
Preventing attacks like these must become a major priority for businesses of all sorts, including yours, and it's why we recommend using an ad fraud solution like the one we have at Edgemesh.
Why Use Edgemesh?
Here’s how we work to protect your ads from invalid clicks. We understand click fraud as based on malicious intent masking under real traffic. Our solution does an overview of your existing and incoming traffic to your ad and follows through with their interactions from beginning to end.
We use behavioral analysis and machine learning to track all incoming traffic to your website, including clicks, traffic sources, backend lookup, IP monitoring, etc.
To give our click-fraud solution a spin, check out the new feature here or book a demo for a full experience.