What is Clickjacking?

A common clickjacking definition is a type of attack in which the victim clicks on links on a website they believe to be a known, trusted website. However, unbeknown to the victim, they are actually clicking on a malicious, hidden website overlaid onto the known website.

Sometimes, the click seems innocuous enough. For example, an attacker disguised as a marketer creates a post to get likes on a Facebook page—a strategy known as likejacking. The click could lead to more dangerous activity, such as the unauthorized download of malware, or can trigger a JavaScript code to turn on a webcam, collect passwords, or record keystrokes.

Cursorjacking is another version of clickjacking. In cursorjacking, attackers trick users by adding a custom cursor image that confuses victims into clicking on parts of the page they have no intention of clicking. In more advanced clickjacking scenarios, victims do more than just click. They might even enter usernames, passwords, credit card numbers, and other personal information into what they believe to be common sites they use frequently. But instead, their information is being scraped by a malicious, hidden website.

Also known as a user redress interface attack, the term clickjacking was coined by Jeremiah Grossman and Robert Hansen in 2008.

While clickjacking might seem like spoofing—in which the cyberattacker recreates websites or landing pages in an effort to trick users into thinking the fake pages are the original, legitimate pages—it is much more sophisticated. The website the victim is looking at in a clickjacking scheme is the real website of a known, trusted entity. However, the attacker has added an invisible overlay over its content using various HTML technologies, including custom cascading style sheets (CSS) and iframe, which allow for content from other websites to be ported onto another website.

Types of Clickjacking Attacks

There are several different types of clickjacking attacks. Due to the open nature of the internet and the continued advances in web frameworks and CSS, clickjacking attacks can become quite complex.

Complete Transparent Overlay

Perhaps the most common clickjacking strategy, this method overlays a legitimate webpage over a malicious page. The legitimate page is loaded into an invisible iframe, and the user has no idea that a malicious page is underneath. 

Cropping

Cropping, which is trickier to program, occurs when the cyberattacker overlays only selected controls from the malicious page onto the legitimate page. The attacker could replace hyperlinks on the legitimate page with redirects, replace the text of buttons on the legitimate page with other language (thereby confusing the victim), or change the content in a way that misleads the user.

Hidden Overlay

This could be many things, but cursorjacking, mentioned above, is an example. In this strategy, the cyberattacker creates a tiny iframe, perhaps as small as a 1x1 pixel, that can be positioned under the mouse cursor and undetectable to the victim. As such, any click will go to the underlying malicious page.

Click Event Dropping

Click event dropping might be a more obvious attack to a user. In this strategy, the attacker sets the CSS pointer-events property to none, which means clicking will seem to do nothing on the page. But in reality, the clicks are working on the malicious page underneath. Users should alert the webmaster when their continued clicking on the website's buttons or links does not work.

Rapid Content Replacement

For more sophisticated cyberattackers with significant know-how in user experience and behavior, rapid content replacement can be an effective strategy. In this scheme, overlays are covered up, removed for a fraction of a second to register a click, and then immediately replaced. With this scenario, the user might not notice that they are clicking on a possibly malicious button or link because the object disappears so quickly. 

Apart from using insert overlays, there are other ways attackers can trick users into clicking unexpectedly malicious content.

Scrolling

In this scenario, the cyberattacker creates a legitimate dialog box or pop-up with a button partially off the screen. The buttons go to the malicious webpage underneath, but the box appears as a harmless prompt. The challenge for attackers in using this strategy is that the victim may have an ad blocker or pop-up blocker installed on their browser. The attacker will need to find a way to circumvent this. (Bogus ad-blocker extensions are yet another type of cyberattack.)

Repositioning

This is a type of rapid content replacement attack, in which the cyberattacker quickly moves a trusted user interface (UI) element while the user is focused on another portion of the webpage. The idea is to have the victim inadvertently click the moved element instead of focusing on reading, scrolling, or clicking something else on the page. Quick jumps or movements should be obvious to most users, and when this occurs, the employee should notify the webmaster and security team. 

Drag and Drop

This is a clickjacking strategy that requires the user to do more than just click. The victim will need to fill out forms or perform another action. The web forms might look like those of the legitimate page, but when users fill out the fields, the data is captured by the cyberattacker via the malicious page underneath. The goal, as with any cyberattack, is to obtain personal or sensitive information without the victim's knowledge. 

Due to the dynamic, innovative nature of the web, including new JavaScript frameworks, cyberattacks similar to clickjacking will continue to proliferate. Victims will continue to be tricked into performing unexpected actions on websites that seem identical to sites they have used before. As such, clickjacking might be difficult to detect, but in large organizations, as employees and customers interact with the company's web properties at scale, odd click behavior should be reported and acted upon quickly to thwart a cyberattack.

How to Prevent Clickjacking?

Luckily, there are several steps that an organization can take to protect its employees, customers, and other stakeholders from a clickjacking attack. These protections are typically undertaken by the web development team, as they are server-driven and require some coding and knowledge of the functionality of the web.

Prevent Framing

A policy can be put in place to prevent framing or the republishing of the site's content in an HTML container on another website. This is known as a Content Security Policy (CSP), which can serve as the first defense in the prevention of a clickjacking attack. The CSP essentially permits only certain web resources, such as JavaScript and CSS, that the client browser can apply.

Move the Current Frame to the Top

Also known as an X-Frame-Options, this strategy relies on the response header—or code used to indicate whether a browser should be allowed to render a page in a frame, as an embed, or as an object—when webpages are pushed through the browser. The header provides the webmaster with control over the use of iframes or objects. With this extra code in the header of a webpage, the webmaster can decide whether the inclusion of a webpage within a frame can be prohibited. 

X-Frame was first developed for Internet Explorer 8, and it is not consistent across all browsers. The web development team will need to take this into consideration when implementing X-Frame-Options.

When used together, a CSP and X-Frame-Options can serve as a strong defense against a clickjacking attack.

Consider Browser Add-ons

Some web browsers have add-ons that halt scripts from running once there is a Hypertext Transfer Protocol (HTTP) request. With the scripts stopped in their tracks, the cyberattacker's code cannot be executed. This is a client-side strategy and requires employees to install an add-on on their browser. For added protection, they should install the add-on on all of their devices.

Add a Framekiller to the Website

A framekiller, also known as a framebuster or framebreaker, is similar to the X-Frame Option and is a piece of JavaScript code that prevents elements of a webpage from being loaded into and displayed in a frame. The JavaScript code validates whether the current window is the main window. If it is not the main window, the page is blocked from being displayed.

Use a Strong Cybersecurity Solution

A robust platform such as the Fortinet next-generation firewall (NGFW) can protect a network from multiple threats and attack vectors. A security platform can recognize suspicious behavior and block threats like clickjacking in real time.

Educate Employees

Employee education is imperative, as employees or other users can provide another way to notify the security team of a clickjacking attack that is underway. As part of overall cybersecurity training, employees need to be on alert if they suspect that clicks or parts of what they believe to be the normal interface of the website seem suspicious.

How Fortinet Can Help

An end-to-end security solution is necessary to thwart cyberattacks. Clickjacking schemes target the security vulnerabilities of an organization's website, taking portions of legitimate webpages and overlaying them over a malicious site intent on exploiting user trust. 

As threat vectors multiply and increase in sophistication, the Fortinet NGFW can serve as organizations' first-line defense. It filters all traffic and provides intrusion protection for an organization's network across the entire threat landscape.

FAQs

What is Clickjacking?

Clickjacking is a type of attack in which the victim clicks on links on a website the victim believes to be a known, trusted website. However, they are actually clicking on a hidden website that has been overlaid onto the known website.

How dangerous is clickjacking?

Clickjacking is another threat vector and has the potential to enable a security breach.

Is XSS clickjacking?

XSS, or cross-site scripting, is a related attack but can be much broader in scope. In XSS, cyberattackers exploit vulnerabilities in web servers and inject malicious client-side scripts without users' knowledge.

What is used to prevent clickjacking?

A range of strategies can be used to prevent clickjacking, including implementing a Content Security Policy (CSP), coding for X-Frame-Options, adding browser add-ons, using an advanced firewall system, and educating employees.