Clickjacking is based on a simple principle: Make a victim click on something that is not what it appears to be. A simple example would be a Facebook like button that does something other than show your Facebook friends that you found something you liked. Why would someone want to make people do this? We’ll get into that later.
In order to perform a clickjacking hack, a criminal has to compromise a legitimate website. Sometimes the website is deliberately altered by its developer. This creates what is known as a malicious website. Such a website may be designed to spoof an actual website or it may have elements on it that do not do what they claim to do. For example, links claiming to go to a particular page may actually go to a page controlled by the criminal. A website purposely designed to be malicious and to lead a visitor to unexpected websites does so to make the designer money. They monetize deceptive links by making marketers, who pay for clicks on ads, think that their ad was actually clicked on, when it was not.
Another way criminals can redirect visitors to a website is to redirect by using a transparent overlay. Hackers who compromise a site can place an invisible frame over an object on a web page. For example, they could put this invisible layer over the Facebook like button. Thus, when the user clicks the like button, they are really clicking on the invisible frame and being directed by this to another site or being made to do something else that they had not intended to do (i.e. download malware).
In some cases, criminals don’t even wait for visitors to make them money. They employ bots to click on ads. After all, more clicks on an ad mean more money in the criminals’ pockets. If you can’t get humans to visit your site and click on ads, you can’t make money. However, if you can get a botnet to make thousands of visits to your site and click on ads, you can make a good living. Newer defenses built into browsers look for suspicious activity and attempt to block such bots, but, as you would expect, criminals try to upgrade their botnets to act in a way that more closely resembles human interactions with ads. As everyone knows, websites often try to stop botnets from doing this by making users click on annoying reCAPTCHAs.
Recent research on clickjacking has found several upgraded techniques that criminals are using to redirect victims. The researchers divided these deception techniques into what they call ‘mimicry’ and ‘transparent overlay’.
One new type of mimicry uses the technique of trying to blend in with the style on a page. The researchers use the following example where the middle box blends into the style of the page. Only a close inspection will show the word, “Sponsored”.
In truth, the trick is used by email providers and search engines which post sponsored ads at the top of the inbox or search results. But it’s not a scam unless it takes you to some place you never planned to go.
Transparent overlay attacks don’t only have to cover small buttons or photos. They can be made to cover all or almost all of a page, so that clicking on anything on the page will lead you to the criminal’s site. Again, it is possible for the site to be designed to do this.
Is Clickjacking Dangerous?
It’s true that most clickjacking is just a nuisance. You are redirected to some spam page when you thought you were going somewhere else or you were performing some other task.
However, dangerous functions can be hidden in the invisible frame that covers all or part of a site. I created these fake Facebook buttons on an invisible frame which would cover part of a vulnerable site. The buttons function but are harmless. (WordPress stops me from putting such a frame on its pages, but you can see the code for this here.)
However, if an attacker wanted to, the buttons could lead to all sorts of malicious activities. They could, for example, lead a victim to a fake Facebook login page from which they would capture login information. In fact, some overlays are designed so that no matter where a victim clicks on the site, they will always be redirected to the same place.
Most sites, like those in WordPress, are protected from clickjacking attacks, but a criminal could construct a site that was intentionally vulnerable to a clickjacking redirect. In this case, the criminal may want your Facebook, email, or other login information. On the scam site, you may see something innocuous like, “Click here for more information”. But clicking this would, then lead you to the real page the criminal wants you to visit. Remember, even malware can be downloaded by a click on such a seemingly harmless button, but your browser would probably indicate that you have an impending download. Only carelessness would allow such an attack to succeed, but carelessness is not unknown to occur on the internet.
And although measures to stop clickjacking have widely been adopted, criminals are still looking for ways around them. The researchers mentioned earlier found that several sites accessed during their investigation contained drive-by-downloads; that is, sites that would deliver malware simply by visiting them and clicking on nothing. Although they could not analyze all 2 million compromised sites that they identified, they did conclude that,” we think that there were much more malicious cases that we have yet to discover.”
In other words, if you think that clickjacking is a thing of the past or that it is just a harmless nuisance, think again. Last December, a researcher discovered a clickjacking attack on Facebook’s Android app. It had the ability to redirect a user to a spam page and then post that spam page on the victim’s timeline. The posted content in this attack was silly but harmless, but what if it wasn’t? It was limited to attacks in France, however, the bug was never removed by Facebook. So, if you see something on you or your friends’ timelines that seems out of place, you may have been an unwitting clickjacking victim.
Let’s just hope what’s posted on your timeline doesn’t destroy your reputation.