Clickjacking: What is it and how bad is it?

Remember when cyberpunk media promised us that any “-jacking” terms would mean cool future hacking mechanics? Yeah, same. Clickjacking, however, is a mechanic used by hackers; it can cause a lot of damage but is actually very lame once you explain it. Here’s how it goes: 

What is a clickjacking attack?

A clickjacking attack – also known as a UI redressing attack – works by making users (read: you) click on disguised website elements that the user perceives to be legitimate.

So on a website subjected to a clickjacking attack, you may be clicking “Next” to see more cat pictures. However, your cat picture website has poor security and a hacker overlaid an invisible page on top of it. So when you click “next,” you’re ordering a bank transfer to a secret hacker account. That’s why the alternative title “UI redressing” exists – the hacker has redressed the user interface of the website to do a malicious thing. 

Other clickjacking methods

Aside from the method I mentioned, other varieties of clickjacking exist: 

  • Likejacking makes people who click an embedded Facebook “Like” button (the one that appears on sites that aren’t Facebook) “like” something other than depicted in the embed. This may grow a user base for a shady Facebook group or be later used for further scams by using the group as an inroad. 
  • Nesting relies on the website in question being vulnerable to insertion of malicious frames alongside the native elements. This was something Google+ was susceptible to. 
  • Cursorjacking is a method that shows your mouse cursor to be not where it appears on the browser window. That way, the user might be clicking on one thing while the actual cursor is clicking something else. Luckily, this relied on vulnerabilities in older browsers that have since been patched out. 
  • Mousejacking has also been named as a type of clickjacking, even if it works in a somewhat more physical way. That is, it relies on the connection between a wireless keyboard and a computer to be badly secure, transmitting signals with fake keyboard inputs. 

How does a clickjacking attack work?

Clickjacking attacks rely on iframes to:

  • Embed legitimate websites into their own scam sites and then cover the visible page with an invisible frame of their own
  • Insert an invisible iframe into a compromised legitimate website. 

Now, you might be wondering: how does that explain ANYTHING if I don’t know what an iframe is?

An iframe is a website construction component. Or, rather, it’s a component of the HTML code that websites are constructed of. Iframes allow website developers to embed documents, videos, and so on on their site. This essentially puts a secondary page inside the webpage

Clickjacking attack example

If you’re still not clear about what it is, I’ll give you an example: every time you’ve seen an embedded YouTube video in the wild (that is, not while visiting youtube.com), you’ve seen an iframe at work. 

So here’s how it goes:

  1. You go to videogamedeals.ro.ru 
  2. You click the WAR OF WORLDCRAFT STEAM SUPER DEAL!! button.
  3. videogamedeals.ro.ru loads a malicious page with store.steampowered.com* in an iframe. 
  4. Hackers layer an invisible field over the payment details field.
  5. You enter your payment details into the invisible field. 
  6. Hackers make off with your payment details and/or money. 

That’s how clickjacking attacks trick users into divulging their data, transferring money, downloading malware, falling for scams, and more. 

*For the purposes of this explanation only, it is assumed that store.steampowered.com doesn’t have any defense against iframes. 

How can clickjacking be prevented?

Can you fight clickjacking? Well, it gets difficult, but some methods have been developed in the past:

For clients (read: users like you and me): 

  • Browser add-ons like NoClickjack can warn or protect you from attacks in progress.  
  • Security apps like Surfshark’s CleanWeb can also stop clickjacking attacks from taking you to already identified scam sites. 
  • Eternal vigilance, meaning ignoring shady deal sites, rejecting too-good-to-be-true offers, and following other scam prevention tips

For web servers (read: the people running websites):

  • Fiddle with things called “X-frame options” which would prevent a website from being used in an iframe. This may be obsolete nowadays and “frame ancestors directive” may be a more secure option.
  • Follow the newest trends in ensuring security. 
  • Reconsider the security policy of the website in question to prevent the site from being hacked and embedded with iframes. 

Don’t let your clicks be jacked

Clickjacking is a real danger when visiting websites that don’t care about clickjacking defense or are just shady pages meant to entrap users. There is not much to be done on the user end of things, except for keeping the regular defenses up. And what do you know, one of the first layers of online security is to get a VPN!

Get yourself a VPN for internet privacy

Get Surfshark