“One Single Vulnerability is All an Attacker Needs” - Window Snyder (Chief Security Officer, Fastly)
The given statement hints at the extent to which we stand vulnerable in the face of Cybersecurity attacks. While technological advancements have ensured commendable benefits for mankind; it has also opened new possibilities for increasing sophistication of cyber threats and attacks. The search for absolute security is in fact considered by many as a vain pursuit with the evolvement of newer forms of threats on a continuous basis.
In the midst of this threatening milieu, we will try to look at the Clickjacking Attack as a significantly potent source of cyber threat.
In this blog, we will try to answer the question of what is Clickjacking, consider Clickjacking: Attacks and Defenses as well as evaluate ways and means for Clickjacking Prevention.
What is Clickjacking?
In this section, we will try to Define Clickjacking, by considering different aspects of a Clickjacking Attack.
Clickjacking or Click Hijacking is also referred to as UI Redress Attack or UI Redressing. A Clickjacking Attack essentially occurs when a user clicks on a webpage element which is disguised as another element within the user interface.
It is an interface based attack wherein a HTML element or an invisible page, embedded in an iframe is displayed over another web page which is actually visible to the user.
The page which is visible to the user is the decoy website, while the invisible one is the hidden website. In order to understand what is Clickjacking, you can view it as a cyber attack wherein the user unknowingly clicks on some actionable button on the hidden website as he consciously clicks on some entirely different content on the decoy website.
Let us try to understand the Clickjacking Attack through an example. Suppose as a user you happen to visit malicious web pages which showcases an irresistible offer in the form of a holiday deal or a free gift, say you can win a trip to Haiti or stand a chance to win a free laptop. On top of that page; however, the cyber criminal might install an iframe with such directions as “delete all messages” or links authorizing transfer of money from your bank account or clicks facilitating online purchase of products and so on. This iframe will be invisible to you and will be so placed, that when you as a user happen to click on the button for claiming your free gift, you end up unknowingly clicking on the hidden malicious link which might result in the disclosure of sensitive information, in scams related to money transfer, in malware download and so on. This is how a Clickjacking Script works.
In the event of a Clickjacking Attack, the attacker seeks to target dual entities. The first victim is the host web server which is used as a mere platform for exploiting the Clickjacking Vulnerability; while the second victim is the user who unknowingly ends up clicking on the malicious button and becomes a target to a Clickjacking Attack.
Clickjacking Attack: Its Types
As you try to understand what is Clickjacking, you should be clear of the various kinds and types of Clickjacking Attacks.
As the name suggests, this kind of attack provides for the manipulation of the Like button on Facebook and other social media platforms as users end up liking pages which they did not actually intend to like in the first place. It is popularly known as Clickjacking Facebook and Twitter too fell victim to this kind of attack which was known as the tweet bomb, in 2009. The attack was launched with tweets which directed users of Twitter to a button which read “Don’t Click”. In this case, Clickjacking sought to exploit the natural curiosity of humans and as people clicked on the button, they ended up unintentionally posting more messages and tweets which again advertised the same link.
It is a form of UI redressing technique which is responsible for altering the position of a cursor to a different location from where the user perceives it to be. This results in the user believing to take a specific action, while in reality they are undertaking an entirely different action.
This is a form of a Clickjacking Attack wherein the user unintentionally provides the attacker, access to local files in their system.
- Download of Malware
A Clickjacking Script might include a hijacked link, which when clicked by the user results in the download of malware in the system. This malware can be responsible for destroying the software of the system, in distorting the applications of the program or can become a potential entry point for Advanced Persistent Threats (APTs).
- Scams involving Money Transfer
This is another common type of Clickjacking Attack wherein a user is deceived into clicking on a malicious link on a decoy website whereby he ends up unknowingly authorizing the transfer of money from his own bank account.
- Microphone and Webcam Activation
This kind of Clickjacking Vulnerability is exploited through uploading the Adobe Flash settings of a user over another link. Thus, when the user clicks on the dubious link, they end up unconsciously modifying their Adobe Flash plug-in settings and in fact handing over the access of their microphone and webcam to the attacker.