Introduction
The Internet is a hub of various resources ranging from educational, games, business websites, bank applications, etc. Actually, the list is endless. Despite all these legit and honest-looking sites, there is a danger on the Internet discovered way back in 2002. Clickjacking or User Interface Redress attack was formally introduced as a common internet attack in 2008. Many Internet users today lose money or fall prey to identity theft through the use of Clickjacking. This article introduces you to Clickjacking and its impact on the Internet.
Clickjacking
As mentioned earlier, it is also referred to as a UI redress attack and involves the use of opaque/invisible layers on a web page to lure users into clicking a button or any element on the page thus perpetrating any malicious behavior the attacker so wishes. Clickjacking only uses the mouse and the webpage as tools to attack unsuspecting users on the Internet.
There are various forms of Clickjacking and in this article, we are going to try and look at some of the most common types and how and why they are implemented in our everyday Internet experiences.
Classic Clickjacking
This makes use of the browser and involves opaque layers of web pages to trick a user into clicking items which they cannot see and they may be transferring money from their account or maybe making an online purchase. Normally these web pages come with enticing text such as 'WIN A FREE TRIP TO DUBAI', 'CLAIM YOUR FREE GIFT HERE' or anything similar just to lure a user into clicking. The hidden page that is mapped to this enticing button might have a button that transfers money or make an online purchase to the attackers' name without the user knowing. This form of attack is difficult to trace because unlike identity theft in this case the user makes the transaction personally without knowing.
Likejacking
In this technique, the attacker makes the honest user 'Like' or 'Follow' a social media page without the knowledge of the user. This normally involves Facebook 'Likes' or Twitter 'Follow'.
Nested clickjacking
In this technique, the attacker takes advantage of HTTP X-Frame Options to embed a malicious web frame between two frames of a legit web page thus having one that is hidden and one that is displayed to the user much similar to Classic clickjacking.
Filejacking
This method uses the browser's file navigation capabilities to get access to the users' sensitive data. It lures the user to establish an active file server using the files and folder dialogue available in browsers. Attackers can then access and steal files from the users' computers.
Cookiejacking
Using this method the attacker lures the user to drag some object which is enticing to the user. Harmless as it may seem, once the user drags the object they drag all their cookies to the attackers’ disposal. The attacker eventually has the users’ entire cookie content and all the data within it.
Cursorjacking
In this technique, the attacker tricks the user using the cursor position. In actual terms, the cursor is not where the user perceives it to be.
Clickjacking may also be used to perform XSS and in this case, it makes the impacts of clickjacking more malicious as compared to simply pushing Facebook or Twitter 'Likes' and 'Follow's. If the attacker knows is aware of an XSS exploit and lures the user to click on the page with an iframe URL containing the execution of the XSS this could have serious effects on the user/organization.
Conclusion
Clickjacking is dangerous in that in most cases, the user is not aware of any attack and may end up being unable to trace the attacker since they will have done the damage themselves. This makes it a very critical attack vector in modern web sites and applications.