The digital age has been largely positive, giving us access to more information than ever before and more ways to communicate with each other, even across the globe and instantaneously. It’s completely changed the way we work and live, making information and entertainment cheaper and more accessible. But it has also introduced a variety of threats.
There’s no shortage of malicious actors out there, constantly searching for new techniques and scams they can use to steal money and information from unsuspecting victims. One of the most prominent malicious techniques is clickjacking – but what exactly is this method and how can you protect yourself against it?
Clickjacking Basics
We’ll begin with an explanation of the basics of clickjacking. Essentially, clickjacking means fooling a user, prompting them to click on something unwittingly. Usually, this is done with multiple layers; the user doing the clicking sees a trustworthy, recognizable interface, but there’s a transparent layer over that interface that actually responds to their click.
In other words, you may feel like you’re clicking a familiar button on a familiar website, but you’ll actually be clicking a button that allows someone to engage in malicious activity, such as stealing your personal information or infecting your computer with malware.
Types of Clickjacking
There are many different categories of clickjacking to consider, including:
- Classic clickjacking. In this form of clickjacking, an attacker will use a hidden, transparent layer to manipulate a user’s perceptions, causing them to click on something they didn’t intend. For example, a cybercriminal might add a transparent layer over a website with a regular video that features a “play” button. The transparent layer being clicked might take the user to a different website or commit to a specific action – like buying a product on Amazon or issuing a transfer to the criminal’s bank account.
- Likejacking. This specific technique relies on similar principles, but is applied to the “like” function associated with most social media platforms. You might click the “like” button, attempting to show your favor for a meme your friend posted – but you’ll be tricked into clicking on something much worse.
- Nested clickjacking. In this method, a criminal will embed a malicious web frame between subsequent pages of a traditional, trustworthy webpage. This only works because of a specific vulnerability found in the HTTP header, X-Frame-Options.
- Cursorjacking. With cursorjacking, criminals use a UI redressing tactic to manipulate the actual position of your cursor and drift it away from the visible cursor you see on your screen. It’s an added layer of complexity to this common scheme, making it even easier for people to install malware on your device.
- Mousejacking. Rather than messing with the UI of your device, mousejacking relies on physical hardware. In this method, criminals take advantage of a hardware vulnerability that allows external keyboard and mouse inputs through vulnerable dongles.
- Cookiejacking. Cookiejacking is far less pleasant than it sounds. In this form of user manipulation, cookies are stolen from your web browser. These cookies often include sensitive information that can be used against you.
- Filejacking. In filejacking, a criminal will trick a user into creating a new active file server; this will appear like a typical folder selection window. Once complete, the attacker can freely navigate your computer and access your files.
- Password manager attacks. Password manager attacks are also common. This only works on vulnerable password managers.
How to Protect Yourself
So how do you protect yourself from these types of attacks?
On the client side (as a user), you can use reliable browsers, extensions, and addons to minimize your vulnerabilities. Certain browsers have built-in functionality to protect against these types of attacks, though you’ll need to make sure you’re using the most recent version of the software. If you want even more protection, you can install additional addons meant to directly prevent this type of problem.
On the server side, webmasters can protect their users from UI redressing and similar techniques with a variety of approaches. For example, you can introduce a framekiller JavaScript snippet to block the introduction of new frames from untrustworthy sources. Different X-Frame-Options headers can also help.
It’s also a good idea to rely on content security policies (CSPs). Most modern browsers support CSPs, allowing site owners to specifically decide the type of content allowed to load on each page. If you customize and implement your CSP properly, your users should have no issues dealing with clickjacking.
Clickjacking has been a security problem for many years, but its influence is diminishing, in part because we have better tools to fight back against it. Still, it’s important to remain vigilant both as a webmaster and an ordinary user. All it takes is one slipup to render you vulnerable.