What is Clickjacking?
A common clickjacking definition is a type of attack in which the victim clicks on links on a website they believe to be a known, trusted website. However, unbeknown to the victim, they are actually clicking on a malicious, hidden website overlaid onto the known website.
Cursorjacking is another version of clickjacking. In cursorjacking, attackers trick users by adding a custom cursor image that confuses victims into clicking on parts of the page they have no intention of clicking. In more advanced clickjacking scenarios, victims do more than just click. They might even enter usernames, passwords, credit card numbers, and other personal information into what they believe to be common sites they use frequently. But instead, their information is being scraped by a malicious, hidden website.
Also known as a user redress interface attack, the term clickjacking was coined by Jeremiah Grossman and Robert Hansen in 2008.
While clickjacking might seem like spoofing—in which the cyberattacker recreates websites or landing pages in an effort to trick users into thinking the fake pages are the original, legitimate pages—it is much more sophisticated. The website the victim is looking at in a clickjacking scheme is the real website of a known, trusted entity. However, the attacker has added an invisible overlay over its content using various HTML technologies, including custom cascading style sheets (CSS) and iframe, which allow for content from other websites to be ported onto another website.
Types of Clickjacking Attacks
There are several different types of clickjacking attacks. Due to the open nature of the internet and the continued advances in web frameworks and CSS, clickjacking attacks can become quite complex.
Complete Transparent Overlay
Perhaps the most common clickjacking strategy, this method overlays a legitimate webpage over a malicious page. The legitimate page is loaded into an invisible iframe, and the user has no idea that a malicious page is underneath.
Cropping, which is trickier to program, occurs when the cyberattacker overlays only selected controls from the malicious page onto the legitimate page. The attacker could replace hyperlinks on the legitimate page with redirects, replace the text of buttons on the legitimate page with other language (thereby confusing the victim), or change the content in a way that misleads the user.
This could be many things, but cursorjacking, mentioned above, is an example. In this strategy, the cyberattacker creates a tiny iframe, perhaps as small as a 1x1 pixel, that can be positioned under the mouse cursor and undetectable to the victim. As such, any click will go to the underlying malicious page.
Click Event Dropping
Click event dropping might be a more obvious attack to a user. In this strategy, the attacker sets the CSS pointer-events property to none, which means clicking will seem to do nothing on the page. But in reality, the clicks are working on the malicious page underneath. Users should alert the webmaster when their continued clicking on the website's buttons or links does not work.
Rapid Content Replacement
For more sophisticated cyberattackers with significant know-how in user experience and behavior, rapid content replacement can be an effective strategy. In this scheme, overlays are covered up, removed for a fraction of a second to register a click, and then immediately replaced. With this scenario, the user might not notice that they are clicking on a possibly malicious button or link because the object disappears so quickly.
Apart from using insert overlays, there are other ways attackers can trick users into clicking unexpectedly malicious content.
In this scenario, the cyberattacker creates a legitimate dialog box or pop-up with a button partially off the screen. The buttons go to the malicious webpage underneath, but the box appears as a harmless prompt. The challenge for attackers in using this strategy is that the victim may have an ad blocker or pop-up blocker installed on their browser. The attacker will need to find a way to circumvent this. (Bogus ad-blocker extensions are yet another type of cyberattack.)
This is a type of rapid content replacement attack, in which the cyberattacker quickly moves a trusted user interface (UI) element while the user is focused on another portion of the webpage. The idea is to have the victim inadvertently click the moved element instead of focusing on reading, scrolling, or clicking something else on the page. Quick jumps or movements should be obvious to most users, and when this occurs, the employee should notify the webmaster and security team.
Drag and Drop
This is a clickjacking strategy that requires the user to do more than just click. The victim will need to fill out forms or perform another action. The web forms might look like those of the legitimate page, but when users fill out the fields, the data is captured by the cyberattacker via the malicious page underneath. The goal, as with any cyberattack, is to obtain personal or sensitive information without the victim's knowledge.
How to Prevent Clickjacking?
Luckily, there are several steps that an organization can take to protect its employees, customers, and other stakeholders from a clickjacking attack. These protections are typically undertaken by the web development team, as they are server-driven and require some coding and knowledge of the functionality of the web.
Move the Current Frame to the Top
Also known as an X-Frame-Options, this strategy relies on the response header—or code used to indicate whether a browser should be allowed to render a page in a frame, as an embed, or as an object—when webpages are pushed through the browser. The header provides the webmaster with control over the use of iframes or objects. With this extra code in the header of a webpage, the webmaster can decide whether the inclusion of a webpage within a frame can be prohibited.
X-Frame was first developed for Internet Explorer 8, and it is not consistent across all browsers. The web development team will need to take this into consideration when implementing X-Frame-Options.
When used together, a CSP and X-Frame-Options can serve as a strong defense against a clickjacking attack.
Consider Browser Add-ons
Some web browsers have add-ons that halt scripts from running once there is a Hypertext Transfer Protocol (HTTP) request. With the scripts stopped in their tracks, the cyberattacker's code cannot be executed. This is a client-side strategy and requires employees to install an add-on on their browser. For added protection, they should install the add-on on all of their devices.
Add a Framekiller to the Website
Use a Strong Cybersecurity Solution
A robust platform such as the Fortinet next-generation firewall (NGFW) can protect a network from multiple threats and attack vectors. A security platform can recognize suspicious behavior and block threats like clickjacking in real time.
Employee education is imperative, as employees or other users can provide another way to notify the security team of a clickjacking attack that is underway. As part of overall cybersecurity training, employees need to be on alert if they suspect that clicks or parts of what they believe to be the normal interface of the website seem suspicious.
How Fortinet Can Help
An end-to-end security solution is necessary to thwart cyberattacks. Clickjacking schemes target the security vulnerabilities of an organization's website, taking portions of legitimate webpages and overlaying them over a malicious site intent on exploiting user trust.
As threat vectors multiply and increase in sophistication, the Fortinet NGFW can serve as organizations' first-line defense. It filters all traffic and provides intrusion protection for an organization's network across the entire threat landscape.
What is Clickjacking?
Clickjacking is a type of attack in which the victim clicks on links on a website the victim believes to be a known, trusted website. However, they are actually clicking on a hidden website that has been overlaid onto the known website.
How dangerous is clickjacking?
Clickjacking is another threat vector and has the potential to enable a security breach.
Is XSS clickjacking?
XSS, or cross-site scripting, is a related attack but can be much broader in scope. In XSS, cyberattackers exploit vulnerabilities in web servers and inject malicious client-side scripts without users' knowledge.
What is used to prevent clickjacking?
A range of strategies can be used to prevent clickjacking, including implementing a Content Security Policy (CSP), coding for X-Frame-Options, adding browser add-ons, using an advanced firewall system, and educating employees.