Clickjacking is a type of cyber attack wherein the perpetrator tricks website visitors into unintentionally clicking a page element or link disguised to lead to a non-malicious page when it actually does otherwise.

The attacker typically cloaks a page element (say, an invisible box) using a so-called “iframe.” Iframe is short for “invisible frame.” The malicious item sits on top, so it gets clicked instead of an image or hyperlink behind it. If we look under the hood, a link to the attacker’s page is located in the top frame, while the image or site link the victim thinks he/she is accessing is in the sub-frame.

Offenders also conceal links using uniform resource locator (URL) shorteners. In this case, the shortened form of the link hides the malicious URL. As a result, users get taken to a different destination from what they initially saw in the link preview.

If we were to draw an analogy, clickjacking is comparable to receiving a majestically wrapped present. But when you tear off the wrapping, you’ll only find an underwhelming item inside.

Other interesting terms…

Read More about “Clickjacking”

Threat actors may have varying motives for clickjacking attacks. Some redirect users to sites that they control to harvest credentials or install malware on victims’ computers. The reason can also be as superficial as stealing clicks or sessions meant for a video, website article, or popular social media post.

Forms of Clickjacking

Clickjacking comes in other forms, which include:

1. Likejacking

Likejacking occurs when a user ends up liking a Facebook page he/she did not intend to follow. This form of clickjacking uses a malicious code or widget, which hides Like buttons throughout a web page. Spam websites are often guilty of this act. However, some legitimate businesses do this as well to inflate their follower count.

2. Cursorjacking

Also known as “pointerjacking,” cursorjacking deceives users through a customized mouse pointer image. In this attack, the cursor appears to move to a different position from where the user initially placed it on the page. The threat actor “drags” a user’s cursor to strategic places across the page, causing them to end up accidentally clicking a malicious link or element.

Clickjacking is similar to Domain Name System (DNS) redirection attacks as the payload is delivered in the same manner. The only difference is that clickjacking occurs on the user interface (hence its other name, “UI redress attack”), while DNS attacks target vulnerable DNS records.

How can Users Avoid Becoming a Clickjacking Victim?

Adding JavaScript Code

Clickjacking is entirely preventable by adding annotations, such as a JavaScript code that functions as a frame buster (or frame killer) to your site. A frame buster can successfully prevent other domains from loading your page in a frame if you do it correctly. Certain variables have to be used to modify the frame-busting JavaScript code and ensure that it doesn’t interfere with existing frames on your site.

X-Frame-Options

Another way to prevent clickjacking is by implementing X-Frame-Options (XFO), a HyperText Transfer Protocol (HTTP) response header that instructs a browser how to render your content. It also effectively prevents other sites from presenting your content.

Web Application Firewall

Users can also rely on a web application firewall (WAF) to prevent clickjacking. A WAF analyzes and automatically blocks HTTP traffic coming from domains that are trying to load your resources on their page.