Clickjacking Explained

Cybercriminals are continually cultivating their techniques to avoid detection. Today, they can even cloak a seemingly innocuous web page with a ghost layer that contains malicious links.

This method of attack is what is known as Clickjacking. It can cause you to activate your device cam and mic, or even transfer funds from your bank to the criminal’s bank account without you noticing it. This article outlines various types of Clickjacking, and teaches the best ways to defend against this threat.

Perhaps a short story might help paint a good picture of what Clickjacking truly implies? A real life experience would be best. But an imagination of a possible scenario might still help in this regard. Please don’t ask about how we came up with this story. Just imagine what you would do in such a scenario.

You are surfing the web. But then, you finally decide that you’re just going to bite the bullet and buy yourself a new ride. Normally, there are often a few pages of forms that need to be signed. This process usually doesn’t take long. In about half an hour, you’re already the proud owner of a brand new car. A couple of weeks go by, and you have already forgotten about the paperwork.

Here’s the problem

You receive an email with what appears to be a loan repayment bill. This bill appears to be the first payment request on your new personal loan. You decide to call the bank and tell them that you never signed up for anything else aside from the initial car loan. But the bank’s representative confirms the presence of your signature on all the papers, in which they send you all the copies via email.

Sure enough, you confirm for yourself the presence, and legitimacy of your signature in all the appropriate places, but you just don’t remember signing anything like it at all.

Therefore, you decide to return to the bank for further investigation. And then you find the tell-tale traces from a carbon paper over the cover of these documents which now only indicates that you had literally signed a different thing which was placed on top of what you thought you were previously signing for.

Actually, Clickjacking is a similar notion that we often see on sites, such as Facebook, for example, where there are many different marketing ads and applications fighting for our screen space to get our attention.

However, in a case where 2 elements overlap, it can pick up on your click literally being on a distinct element than what you thought you were previously clicking on. But in a world where a click is legally valid as a signature, this issue is certainly good at all.

The solution?

There are a dozen ways to get around this issue—although most of them only revolve around using browser defensive add-ons. The best and most effective against Clickjacking attacks is available for FREE and in paid premiums that are surely worth the dollar.

Google Chrome’s browser bodyguard, Guardio, will run silently in the background of your web browser without tampering with your net speed, and will often warn you if something fishy is up. But it doesn’t only end with a warning. This advanced browser security tool can also scan your device and eliminate all threats at site, including Like-jacking and Cursor-jacking attempts.

What is Clickjacking?

Classified as UI redressing, Clickjacking is a malicious technique that tricks you into clicking different things from what you perceive. This potentially exposes your secret information, like the banking details, for example, or allows a hacker to take over your system while clicking on seemingly innocuous elements.

It is an instance of a confused deputy problem; in which a hacker tricks your network system into misusing its command. This can be anything, including web pages. Moreover, they called it redressing or iframe overlay because in most instances, you might never realise that your clicks are not going where they are intended for. This can expose you to various vulnerabilities.

History of Clickjack

Firstly, it was not very long ago when the possibility of loading a transparent page over another web page was first discovered. Actually, it was in 2002 when it was first noted that this method of attack would allow for a user’s input to affect the invincible layer without the user’s knowledge. But this issue was ignored as a bigger threat until it hit the news again in 2008 as a potential cyber threat.

This was when two tech-scientists, Robert Hansen and his partner Jeremiah Grossman discovered that the Adobe Flash app can be Clickjacked to allow someone access to the system. Similarly, this term “Clickjacking” was coined by both professions—it was a perfect blending of the words, Click and Jacking.

In addition, as technology advanced and more similar nature of attacks were being discovered, the focus for the term UI redressing was changed to describe the types of such attacks instead of just using the word, Clickjacking, itself.

Effects of Clickjacking Attacks

Criminals have various ways of using redirected clicks for their own benefits. A very prevalent form of Clickjacking involves depicting a login and password form on a site.

In many cases, you would only assume that you’re providing your info in the usual form—only you are entering the details in fields where a hacker has overlaid a malicious page on the top page to fool you. Hackers will often target valuable info they can exploit, including passwords and credit card details.

Accordingly, a hacker can also decide to redirect clicks to download a virus, or gain access to fundamental systems as a starting point for an ATP (Advanced Persistent Threat). This spells trouble for those relying on protecting intellectual property and their sensitive info.

Examples of Clickjacking

Firstly, cybercriminals can hide links under the media and trigger very specific actions. It could be liking a page on FB or placing an order on eBay. Secondly, a hacker might require you to meet some conditions for an attack to succeed. For example, you may be needed to remain logged into social accounts.

If, let’s say, you got tricked into downloading a virus on your device, then you will definitely have to deal with the compromised system. In the best case scenario, it might only take a simple antivirus scan to fix the problem. But in the worst cases, you might be required to format your device and reinstall the OS.

Here’s an example of a possible Clickjacking. First, a hacker designs an enticing new page that promises a free trip to disneyland. Behind the scenes, the crook checks if you are logged into your banking website, and if you did, they will load the page that enables the transfer of funds. They complete this by using query parameters, such as SQL injection to insert their own banking details into the form.

Second, the malicious fund transfer page is displayed in an invisible iframe over the alleged gift page, with the button Confirm Transfer exactly aligned to the Receive Gift button which is left visible to you. You visit the page and click the button “Book a Free Trip”.

The problem is, you haven’t booked any trip to disneyland. You just clicked on a transparent iframe, hitting the Confirm Transfer, and bam, you just confirmed a transaction of funds from your bank to the hacker’s account. And while you’re not aware of what’s typically happening in the background, you are redirected to a malicious page that has some info regarding the fake trip to disneyland.

Moreover, Clickjacking is capable of turning some system features ON/OFF. For instance, it can enable your camera and mic if, say, a JavaScript prompt requests permission to access such info. But it can also extract other information that can be used to fasilite more attacks, including your device location.

Types of Clickjacking Attacks

Clickjack is susceptible to all kinds of attacks. The UI redressing exposure is high as it’s subjected to vast cybersecurity threats. And while there are several types of Clickjackings, we have mentioned some common ones, in a nutshell.

Transparent Overlay Attack

This trick was used in one of the earliest high-profile Clickjacking. The technique tricked the people into allowing Flash animations to access device features, such as microphone and webcam through the plug-in settings page of the Adobe Flash software.

Hidden Overlay attack

Hidden overlay was the first UI redressing to be demonstrated. It involves a hacker placing a 1x1 pixel iframe having malicious content that is perfectly concealed underneath the cursor—registering every click on the infected web page. Let me explain.

A genuine page is displayed in the forefront of the screen, completely concealing the malicious page, and the click event is dropped. The hacker then replaces the value of the top’s CSS pointer events. He sets it to none, thus forcing the click events to drop through the legit page overlay and register on the hidden page.

Drag and Drop Attack

Although many clickjackings are focussed on intercepting clicks, drag and drop can be used to fool you into doing stuff like filing forms, by dragging invincible characters into invincible text fields, and hence delivering sensitive credentials to the potential thief.

Scrolling Attack

Scrolling vulnerabilities involve sliding a legit web page element like a dialogue box, partially off the screen, overclouding some controls. This could be a warning sign that is slid off the screen, leaving you with only the Cancel and OK buttons options visible.

The hacker hides the warning text and replaces it with a seemingly harmless prompt message to make it look like the buttons apply to their own message instead of the initial warning text.

Cropping Attack

In this method, the hacker picks only a few controls from the transparent malicious page and overlays it on the visible page. Depending on what an attacker is aiming for, this action could entail concealing buttons with invincible backlinks to cause them to perform a completely different action.

Sometimes they can only replace text labels with misleading instructions, or cover an entire page, leaving one, or two buttons exposed to tame the target.

Repositioning Attack

To execute this attack, a hacker must quickly relocate a genuine dialogue box and place a malicious element under the cursor while a victim is engaged with other seemingly harmless web elements.

If the trick succeeds, their victim will unconsciously click the malicious controls without realising any changes. To avoid detection, the hacker might quickly change the dialogue box back after the click.

Why Do People Clickjack?

In brief, Clickjacking is only done for profit gains. Since its initial first discovery back in 2002, many criminal hackers have embraced this fraudulent technique to achieve their malicious gains.

A senior malware analyst, Roman Unuchek, reported on the SecureList blog in 2017, that the malware “Svpeng” was going viral. Svpeng is a malicious program that was first discovered in 2013. Its goal was to steal banking info from Android device users.

Once you downloaded the program on your device, Svpeng will then Clickjack your user data. But the problem went even deeper than just stealing your information. Once the malware gains admin privileges, it can decide which screen overlays to use, read contacts, make calls, send or receive text.

According to senior malware analyst, Roman Unuchek, the Svpeng virus had spread across 23 countries within a single week. Also, while Android devices are seemingly the ones that are susceptible to UI redressing, this issue can still affect any machine that has access to the internet. It can affect any smartphone, tablets, laptops, and desktop computers.

Clickjacking Prevention

One form of UI redressing takes advantage of weaknesses which are present in web pages, and apps to allow hackers to manipulate our systems for their own benefit. For example, an infected page can trick you into performing undesired actions by clicking on the hidden scam links.

Moreover, Clickjacking is considered very harmful to businesses. It is a sworn enemy of business flourishment—but thankfully—there’s a way to defend against it. Initially, there are 2-general ways you can protect yourself against Clickjacking.

Client-side Procedures. The most prevalent method is known as Frame Busting. Although client-side procedures are often considered as, well, not the best practice since it’s easier to bypass them, these methods are still effective today in some instances. We have mentioned four of these methods below.

Server-side Procedures. The X-Frame-Options procedure is the most prevalent server-side method. It is recommended by many cybersecurity professionals as an effective Clickjacking protection method.

Client-side Clickjacking Prevention

1. Defend Yourself With NoScript Defending against Clickjacking attacks can be added to Mozilla, and maybe a few other desktop and mobile version browsers by adding the NoScript plugin. This browser security add-on has a feature called ClearClick that prevents you from clicking hidden or redressed web page elements of embedded applets.

According to the browser security handbook, by Google, the NoScript’s feature ClearClick is an available free product that provides a reasonable degree of Clickjacking protection.

2. Defend Yourself With Guardio Guardio is yet another advanced, lightweight web browser bodyguard that adds Client-side Clickjacking protection for those using Microsoft Edge, and Google Chrome, for example, without interfering with the functions of genuine iframes. This browser security extension is available for free, and paid premiums that come with a handful of helpful features and rewards.

3. Defend Yourself With Gazelle This thing is a Microsoft Research project web browser which uses an OS-like security model. Gazelle has its own limited protection against UI redressing. In this browser, a window of distinct kinds can only draw dynamic content over another window’s screen space if, say, the type of content it is drawing is opaque.

4. Defend Yourself With Intersection Observer The second version (Intersection Observer V2 API) introduced the concept of tracing the actual visibility of a target element, as anyone out there would define it.

Also, it allows a framed widget to sense if it’s being covered. This feature is often ‘ON’ by default since Google Chrome 74 which was introduced in the year 2019. Today, Google’s Chrome browser is the only web browser to implement the Intersection Observer V2 API.

Server-side Clickjacking Prevention

1. Using the Framekiller Framekiller allows website owners to protect their users against Clickjacking on the Server-side. It achieves this by including a framekiller JavaScript snippet in pages in which they don’t want to be included in frames from distinct sources.

However, such JavaScript-based protection against UI redressing is not often reliable. But this is particularly true on Internet Explorer where this type of countermeasure can be circumvented “by design” by including a targeted web page inside an

2. Using X-Frame-Options The X-Frame-Option technique was first introduced by Microsoft’s Internet Explorer in 2009. It provided a partial protection against UI redressing. This defensive technique was later adopted by other browsers, such as Chrome, Mozilla Firefox, Opera, and Safari. Moreover, once a website owner sets up the header, it declares its framing policy values: DENY, ALLOW-FROM origin, SAMEORIGIN.

These values will prevent any kinds of framing, framing by other websites, or allow framing by the defined website. In addition, the advertising websites, for example, return a non-standard value (ALLOWALL) to permit framing their content on any web page.

3. Using Content Security Policy There’s a version of Content Security that allows, or refuses, embedding of content by potentially insecure pages using iframe, objects, and so on. The Content Security Policy’s frame-ancestors V1.1’s command obsoletes the X-Frame-Options detective. For instance, if, let’s say, a web page is served with both headers, its policy should be preferred by the active browser.

Protect Yourself Against Clickjacking by Staying Alert

One very common way a Clickjacking can enter your device is through a targeted malicious email. Unfortunately, in a world where tech-nerd criminals are stealing millions, if not billions of user accounts with dozens of contact details, it only costs a few bucks per account for anyone to purchase such info.

As such, the likelihood of a criminal having on their file at least one email address that belongs to your account, along with its associated banking institution, is extremely high. Therefore, just in case you are finding the above mentioned Clickjacking prevention techniques to be a little too technical to understand, perhaps you can just stay alert to defend yourself against UI redressing threats.

• Watch for emails or SMS messages that claim to address some urgent issue

• Don’t click on social media content or Google Ads that looks too good to be true

• Avoid clicking on suspicious links

• Avoid downloading or installing suspicious programs

• Always only download your preferred software from authorised app libraries

• Add Guardio to your browser to warn you anytime there’s a threat

Watch Out for Spam Emails

Always stay alert and watch for random emails that hit your inbox claiming to address an issue that needs your urgent attention. Most of these emails have compelling and very convincing content—and they are often accompanied by malicious links.

Be careful, though, because clicking such links can take you to a seemingly legit website, only it’s a duplicate of a genuine site. The link can take you to a duplicated site which looks like your banking site, for example, to trick you into filling up your profile details, or to download a current version of software.

Moreover, if, let’s say, the goal of an attack is to trick you into downloading a software, that program is certainly a virus or malware whose goal is to capture and steal your sensitive credentials. In some instances, the site itself might be the source of the spyware that sneaks into your system. But regardless of how it happens, the program will only present false input layers for you to fill up your details.

Watch Out for Google and Facebook Ads

It is also crucial to avoid clicking on Facebook and Google ads that are containing stories, and news appearing to be out of the ordinary, or those with special deals that seem too good to be true.

Clicking on such elements might redirect you to a site that only downloads a Clickjacking program on your device. If you want, you can instead search the news, or the deal on an alternative reputable channel. Besides, if the news is real, then it shouldn’t be that hard to find on a long-standing newspaper available at valid outlets.

Download Apps From Trusted Sources

Employ the habit of downloading your applications strictly through authorised app libraries. These libraries have software agents and human beings who are always working hard to remove malware and leave only the suitable content.

Lastly, it is often easy to detect fake or invincible interfaces, but a healthy dose of doubt when handling anything internet-related can greatly contribute to a far more favourable user interface.

Frequently Asked Questions

What is the Meaning of UI Redressing? In simple English, UI redressing is another term for Clickjacking. It is a cyber attack technique used by hackers to hide malicious content under the cover of elements from legit websites. Think of it like a carjacking situation where the carjacker takes the car. Clickjacking can be compared to this example, except the Car is now replaced with the Click.

Is Clickjacking a New Cyber Threat? Clickjacking is not a new threat. And not only is it the same as the cross-site-request forgery, which is yet another kind of attack, or vulnerability that has been around since the 90s, but the computer scientists, Robert Hansen and Jeremiah, acknowledged that UI redressing is dated back at least several years.

Is Clickjacking a Vulnerability? Although this issue might be debated upon, Clickjacking is still perceived as a technique that only takes advantage of a network’s vulnerabilities, and thus, it is not the “vulnerability” by itself.

This technique can trick you into clicking malicious page elements, such as pictures or buttons; something you didn’t intend to do, by overlaying a web page with an iframe. There are many types of Clickjacking attacks. But we have mentioned the common ones below.

1. Like-jacking. This is a trick whereby the Like button on Facebook is tampered with, and thus causing you to like a different thing than what you previously intended to like.

2. Cursor-jacking. This is a user interface (UI) redressing method that changes your cursor from your intended position to a different one. However, having a tougher browser protection tool in place has since proven to be very effective against these attacks.

3. Cookiejacking. This is a form of UI redressing, in which cookies are stolen from your browser. Hackers often achieve this by tricking you into dragging objects that appear to be seemingly harmless. But the idea is to make sure you select the entire content of the targeted cookie. Afterwards, the hacker can claim the cookie and all its gathered information.

4. Filejacking. In this attack, the perpetrator uses your browser’s capability to navigate through your computer system and access your files to get your personal details. This is done by tricking you into creating an active file server through the folder selection windows, often used by web browsers. With this, the attacker can gain access to your computer and take any files from it.

What is the Impact of Clickjacking? There are vast ways a criminal can utilise a link to redirect for criminal benefits. The most common way involves a site’s login form and passwords being cloned.

This issue can have a very devastating impact on businesses. For example, in many instances, an employee who’s completely unaware, would just click a link on their company site expecting some obvious results but in reality, they might have just provided a hacker with the most valuable data that could lead to an attack on the business.

Using an iframe overlay (Clickjacking), a hacker can net login details, such as username, passwords, credit card details, etc., which afterwards, they can use to exploit, or use it in a larger penetration of a company’s network. Some links can even redirect you to download spyware, or malware that are only meant to grant the hacker remote control over the target company networks.

Is Clickjacking Still Possible? Clickjacking or UI redressing is still possible in 2022. In fact, it’s one of the most common techniques used by hackers to steal valuable info from social platforms, such as Facebook, for example, where a dozen apps and marketing pop-ups battle for a space on your screen to get your attention.

Usually, some of these ads contain malicious links that are only meant to wreak havoc within a business if, say, someone like a curious employee got careless.

What is Clickjacking in Cybersecurity? Clickjacking in cyber security in a nutshell, is a malicious activity that involves displaying an invisible web page, or a HTML element inside an iframe, over the initial legitimate page that is visible on the screen.

Also called UI redress attack, this trick is always only conducted for criminal gain. In most cases, a victim is often completely unaware of what’s happening, and within a matter of minutes, a possible financial loss or the stealing of sensitive credentials is only revealed later. The worst case is if it happens that the stolen info can provide access to a company’s network, this can have long-term damage to the business.

Final Thoughts

Clickjacking or UI redressing is an intrusive and damaging cyber attack technique that can lead to vast serious consequences. Hence, it’s especially critical for businesses to find a way to proactively stop such attacks from turning their websites into dangerous environments for potential users.

Lastly, for a criminal to reach the point of Clickjacking your website, the site itself will have to be jeopardised first—something Guardio can prevent. Regardless, it also helps to ensure that your website resources are sending appropriate X-Frame-Options headers, which would restrict some parts of your website from being framed outside your domain, or in other web pages.