The word clickjacking is a portmanteau of the words click and hijack. As the name suggests, clickjacking is the act of taking a user's legitimate click and using it for malicious purposes. The end result is that what you think you're clicking on is actually something else. That "something else" is also usually pretty bad for you. Which is why understanding clickjacking and how to prevent it is essential for anyone who uses the web no matter who they are. Let's look at clickjacking in-depth and explore how it works and what you can do to prevent it.
How Clickjacking Works
The principal method of clickjacking is pretty simple and relies on the fact that it's possible to make an invisible web page. The attackers create such a web page with invisible buttons and overlay it on top of a legitimate web page.
When you click a button on the legitimate page, you're actually clicking an invisible button on a malicious page. So, that's not good, but you might be wondering what exactly hackers can achieve with this method. Sadly the answer to that question isn't good. Let's have a look at what clickjackers can do.
What Clickjackers Can Do
While it may sound like clickjacking isn't a big deal when you think about it, your clicks have plenty of power! Operating systems are designed to "trust" the user. If a user with the right permissions asks the computer to do something, it has no choice but to comply. Clickjacking tricks the user into asking their own computer to do something malicious, which the computer goes ahead and executes.
Assuming that the clickjackers manage to divert your click to somewhere else, what sort of things can they accomplish? As you've probably guessed, a common type of clickjacking involves fooling you into downloading and running malware. Considering the user clicks permit the download and installation, the malware quietly installs with access unwittingly granted by you.
Clickjacking can also be used to redirect you to a website under the control of malicious actors, such as a phishing site or one filled with ads and malware. Clickjacking can also be used to grab your login credentials for various sites. While you think you're filling the information into the legitimate site directly, your information is being stolen as you type it in.
Hijacked clicks can also be used to manipulate your computer. For example, web browsers can access hardware such as webcams and microphones. When a site asks to access these devices, you need to provide permission. The clickjacker diverts your clicks to give such permission, which may lead to secret recordings of you being made.
Finally, the most direct damage that clickjacking can cause is financial. Clickjacking can be used to fool you into authorizing money transfers from your bank account straight into that of the attacker!
Varieties of Clickjacking
Hackers have taken the basic concept of clickjacking and applied it in an ever-increasing variety of creative ways.
Likejacking is all about hijacking clicks in a social media context - usually Facebook since it's still the platform with the largest user base. Here, your clicks are hijacked so that you end up giving likes or other forms of support to pages you don't know or care about. These fake likes are used to manipulate algorithms into promoting content or otherwise helping the clickjacker profit.
Cursorjacking involves moving your cursor to a different place from where it appears to be. This can be used to act as a way to steal your text input. It's no longer an issue these days since the exploits used to perform this attack have largely been patched.
Filejacking is a particularly scary one. Here your clicks are hijacked to establish a file server connection, giving the attacker access to files on your computer. If you have any sensitive information on your system, they can view and transfer those files and then use that information for profit.
How a Clickjacking Attack Might Work
While clickjacking can come in many forms, there's a common pattern to these attacks that seems to form the backbone of the practice.
There are two main ways in which it's perpetrated. In one form of clickjacking, a real legitimate website is intercepted with an invisible iframe HTML element, which contains the invisible buttons. When you go about your business on the real site, your clicks are intercepted and used to perform one of the actions listed above, such as activating your webcam.
The other type of attack is known as a "UI redress" attack, where the victim goes to a website that's been set up specifically to execute a money transfer scam. Here you might receive an email with a link to a website that offers some sort of reward. When you open the website, there's a button you have to click to "claim" your reward.
What's actually happening is that a script in the site has a bank transfer set up in the background, which you then authorize when you click the button.
Clickjacking targets two different stakeholders at the same time. The first is the owner of a legitimate website - the site that gets compromised by the rogue invisible frame. Website owners can design their site in such a way that they can't be wrapped inside the iframe HTML tag and still work. There's quite a lot you can do to secure your website against clickjacking, but we don't have the space here to go through them all. So we suggest that you do a little research on how to secure your site against clickjacking.
If you aren't a website owner but just a regular user, there are some practical ways to stop yourself from becoming a victim.
First, make sure that your web browser is always updated to the latest version. Many clickjacking exploits are quickly patched by browser developers. Another effective way of preventing clickjacking is to make use of special browser extensions. For example, NoClickJack is a Chrome extension that shows invisible web layers when detected. So you can know what you're actually clicking on.