What Is Clickjacking and How Does It Work?

Clickjacking is a fraud technology that supposes the interface modifications to force the user to click the link or button you need. Usually, it is done through the interface overlay.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner and Online Virus Scanner.

What is Clickjacking Attacks? How Does It Work? | Gridinsoft

What Is Clickjacking?

November 01, 2022

We are used to modern cyberattack vectors, and for some reason, ignore all ones from the past and the possibility for new vectors to appear. Sure, the future is hard to predict, and most past methods are blocked globally at their origins. But only a few people know it is possible to steal your clicks.

Clickjacking or UI redress attack is based on a visual trick to make the user click on an element of the web page that is invisible or disguised as another element. The main goal of a clickjacking attack is to get unsuspecting website visitors to act on another website (the target website). For example, a user might be attracted to a website promising a prize. However, when the user clicks to accept the award, their click is used to purchase an item on the e-commerce website. This is achieved by hiding the user interface of the target website and placing the visual user interface on top of it so that the user does not know he or she is clicking on the target website.

Clickjacking Scheme
How does clickjacking work?

Because of this placement of the user interface, this type of attack is also known as UI redress or UI fix attack. Therefore, the user can unwittingly perform transactions such as transferring money, buying products, downloading malware, liking social networks, etc. But how does it work? Let's go further.

Types of Clickjacking Attacks

Depending on the nature of a particular situation, an attack may be called by different names. Here are some of them:

  • Likejacking. An attack that intercepts user clicks and redirects them to "likes" on a Facebook page or other social networks. It is not very dangerous but will likely lead the feed to show you more liked content, even when you are not interested in this topic;
  • Cookiejacking. A user interacts with a UI element by drag&drop, and provides the attacker with cookies stored in their browser. Cookies can be used to break into social networks, email, and other services. By installing your cookies with hashed passwords in their web browser, a criminal can gain access to your account without logging in;
  • File hacking. In a file-hijacking attack, the attacker takes advantage of the ability of web browsers to navigate your computer's file system. For example, when you upload photos to social networks or a backup to cloud storage. When a file browser window appears, you can navigate the file system. In a file hijacking attack, clicking the "Browse Files" button can set up an active file server, potentially giving the attacker access to your entire file system;
  • Cursorjacking. this method changes the cursor's position to another location where the user perceives it. Thus, the user believes he is doing something when he is doing something else;
  • Password manager attacks. Even though browsers refuse to automatically fill out forms if the protocol on the current login page does not match the protocol at the time of password saving, some password managers can still insecurely enter passwords for HTTP versions of HTTPS-saved passwords. Most managers did not protect against iFrame-based and redirect-based attacks. They exposed other passwords that used synchronization of passwords between multiple devices.

This is part of the many other variants of clickjacking. However, despite the multitude of variants, the basic principle they rely on is the same: capturing user actions by tricking the user interface.

Clickjacking Examples

The attacker creates a clone of a website that looks like the real one but embeds the malicious website in an iframe tag. Since the iframe is invisible, the malicious site is not visible either, and the victim only sees the site that looks like the real one. Using social engineering, the attacker makes the target visit a malicious website and follow a malicious link. For example, it could be a link to a fake contest they won or an enticing photo or interesting picture.

The invisible elements on the embedded malicious site are the same as the interactive elements on the visible page, which looks legitimate. However, the hidden elements trigger unwanted actions, such as downloading a malicious script when clicked. Once the target visits the site and clicks on the link, the target's browser launches a malicious script, and bad things happen.

Protection Against Clickjacking

Clickjacking attacks are pretty rare nowadays, but it is better to have the risk minimized. Most of the job for your protection against clickjacking is already done by the security technologies development, in particular the security updates to web browsers. But some situations may still force us to make it.

Use browsers that support the Intersection Observer API.

The Intersection Observer API can track the "visibility" of target elements on a web page, allowing the browser to detect when a framed window is hidden. The following desktop browsers currently support the API:

  • Google Chrome 58 and above;
  • Mozilla Firefox 55 and above;
  • Microsoft Edge 16 and later;
  • Opera 45 and above

There are enough browsers available on mobile devices that it is almost impossible to list them all. If necessary, they can always be downloaded from the Apple App Store and the Google Play Store. However, the good news is that the default browsers on iOS and Android support the Intersection Observer API.

Use a browser add-on

Several browser add-ons can provide some protection against clickjacking attacks. The most popular options are:

  • NoScript: The NoScript browser add-on prevents users from clicking on invisible or "fixed" web page elements. NoScript is free but only supported by the Mozilla Firefox browser.
  • NoClickjack: The NoClickjack browser add-on is supported by Google Chrome, Mozilla Firefox, Microsoft Edge, and Opera. The add-on makes all frames on a web page visible.

Frequently Asked Questions

What is the difference between clickjacking and phishing?

In fact, these two fraudulent tactics aim for the same thing, but via different approaches. From some point of view, clickjacking may be called a specific way of phishing. Still, phishing is more a social engineering tactic, which forces the victim to do what the fraudster wants. The victim does everything benevolently - missing the details that can uncover the fraud.

Clickjacking also makes the victim believe it is doing what it really wants to, but instead of social engineering, it spoofs the website interface in a specific way. While clicking on a button on a legit site, the victim in fact clicks a button on an invisible frame that calls the function needed by the fraudster. After that click, the latter receives the victim’s identity information, hijacks the money transfer, grabs the cookies and so on.

How common is clickjacking?
This threat is not so common, as the researchers spotted only 630 sites among over 250,000 ones checked up. In short, it is a miserable amount - only 0.25%. However, the sites that are detected as involved in clickjacking still have about 43 million visitors per month - which is more than enough for fraudsters to top-up their wallets.
Is clickjacking an XSS attack?
XSS attacks have several things in common with clickjacking, but they differ by the endpoint of the attack. XSS usually ends up downloading and installing malware on the victim’s device via throwing it on downloading pages or exploit landings. All this nasty stuff is done via exploiting the JavaScript functions and the vulnerabilities of a certain site. Clickjacking also uses JavaScript, but only to draw an invisible frame over a legit page.
What causes clickjacking?
The main reason why clickjacking is even possible is that sites are not protected from using their site in combination with a frame. Hackers may easily call an unprotected site and put their own UI over yours, entrapping the victim. Fortunately, it is quite easy to avoid your page exploitation - by certain JS plugins that may counteract the overlapping frames. You can also forbid the framing of your website from other domains, giving this right only to the other pages of your site.
What is the impact of clickjacking?
Main targets of clickjacking attacks are stealing your money, grabbing the detailed information about your device and location, installing malware or stealing your cookies. All of these cases are extremely unpleasant, as you can potentially lose your money, reputation or even freedom. Cookies may contain the login data from your accounts, including online banking. Stealing the information about the device and location may be used by various government agencies for spying purposes. One may say, the clickjacking is a hardcore, but very effective sort of phishing.