What Is Clickjacking? Definition and Types

There are several different types of clickjacking attacks. Due to the open nature of the internet and the continued advances in web frameworks and CSS, clickjacking attacks can become quite complex.

Perhaps the most common clickjacking strategy, this method overlays a legitimate webpage over a malicious page. The legitimate page is loaded into an invisible iframe, and the user has no idea that a malicious page is underneath. 

Cropping, which is trickier to program, occurs when the cyberattacker overlays only selected controls from the malicious page onto the legitimate page. The attacker could replace hyperlinks on the legitimate page with redirects, replace the text of buttons on the legitimate page with other language (thereby confusing the victim), or change the content in a way that misleads the user.

This could be many things, but cursorjacking, mentioned above, is an example. In this strategy, the cyberattacker creates a tiny iframe, perhaps as small as a 1x1 pixel, that can be positioned under the mouse cursor and undetectable to the victim. As such, any click will go to the underlying malicious page.

Click event dropping might be a more obvious attack to a user. In this strategy, the attacker sets the CSS pointer-events property to none, which means clicking will seem to do nothing on the page. But in reality, the clicks are working on the malicious page underneath. Users should alert the webmaster when their continued clicking on the website's buttons or links does not work.

For more sophisticated cyberattackers with significant know-how in user experience and behavior, rapid content replacement can be an effective strategy. In this scheme, overlays are covered up, removed for a fraction of a second to register a click, and then immediately replaced. With this scenario, the user might not notice that they are clicking on a possibly malicious button or link because the object disappears so quickly. 

Apart from using insert overlays, there are other ways attackers can trick users into clicking unexpectedly malicious content.

In this scenario, the cyberattacker creates a legitimate dialog box or pop-up with a button partially off the screen. The buttons go to the malicious webpage underneath, but the box appears as a harmless prompt. The challenge for attackers in using this strategy is that the victim may have an ad blocker or pop-up blocker installed on their browser. The attacker will need to find a way to circumvent this. (Bogus ad-blocker extensions are yet another type of cyberattack.)

This is a type of rapid content replacement attack, in which the cyberattacker quickly moves a trusted user interface (UI) element while the user is focused on another portion of the webpage. The idea is to have the victim inadvertently click the moved element instead of focusing on reading, scrolling, or clicking something else on the page. Quick jumps or movements should be obvious to most users, and when this occurs, the employee should notify the webmaster and security team. 

This is a clickjacking strategy that requires the user to do more than just click. The victim will need to fill out forms or perform another action. The web forms might look like those of the legitimate page, but when users fill out the fields, the data is captured by the cyberattacker via the malicious page underneath. The goal, as with any cyberattack, is to obtain personal or sensitive information without the victim's knowledge. 

Due to the dynamic, innovative nature of the web, including new JavaScript frameworks, cyberattacks similar to clickjacking will continue to proliferate. Victims will continue to be tricked into performing unexpected actions on websites that seem identical to sites they have used before. As such, clickjacking might be difficult to detect, but in large organizations, as employees and customers interact with the company's web properties at scale, odd click behavior should be reported and acted upon quickly to thwart a cyberattack.

An end-to-end security solution is necessary to thwart cyberattacks. Clickjacking schemes target the security vulnerabilities of an organization's website, taking portions of legitimate webpages and overlaying them over a malicious site intent on exploiting user trust. 

As threat vectors multiply and increase in sophistication, the Fortinet NGFW can serve as organizations' first-line defense. It filters all traffic and provides intrusion protection for an organization's network across the entire threat landscape.

Clickjacking is a type of attack in which the victim clicks on links on a website the victim believes to be a known, trusted website. However, they are actually clicking on a hidden website that has been overlaid onto the known website.

Clickjacking is another threat vector and has the potential to enable a security breach.

XSS, or cross-site scripting, is a related attack but can be much broader in scope. In XSS, cyberattackers exploit vulnerabilities in web servers and inject malicious client-side scripts without users' knowledge.

A range of strategies can be used to prevent clickjacking, including implementing a Content Security Policy (CSP), coding for X-Frame-Options, adding browser add-ons, using an advanced firewall system, and educating employees.