The internet and technology have revolutionized not just our lives but those of cyber-criminals as well. They have also been leveraging the advent in technology to find new and innovative ways to orchestrate hacks, malicious attacks, breaches and so on. Adding to the long list of cyber-attacks such as online scams, SQL Injections, DDoS attacks, phishing, etc. aimed at trapping unsuspecting victims is clickjacking. So, let us delve deeper into what clickjacking is all about and how to secure one’s clients/customers/users from it.
Introduction to clickjackingMost of us would know how a hijacking happens, either from the news or the movies. Unsuspecting victims board their flight to land at their chosen destination. But mid-air, armed attackers take over or hijack the flight to accomplish their objectives by using the innocent co-passengers as pawns. Clickjacking is similar to hijacking; the flight, in this case, are the clicks, the hijackers are cyber-criminals and hackers and the mission is to hijack the click made on a specific page by the unsuspecting victim to another page in order to steal their credentials or finances or other such malicious goals.
Technically speaking, clickjacking is also known as the UI redress attack. It is the kind of cyber-attack where the attackers take advantage of a vulnerability in the UI or webpage to edit it and add multiple transparent and opaque layers over it in such a manner that it looks like a legitimate website or webpage. However, when the user clicks on specific links or buttons on the page, their click is hijacked, and they are routed to and are interacting with a completely different website. Clickjacking is one of the easiest cyber-attacks to orchestrate and quite passive, but their intent is malicious and impact is heavy.
For example-A cyber-attacker has placed a free iPhone button on a webpage and layered a webpage you use on top of it. He has linked the free iPhone button to the fund transfer button in your bank account and when you click on this button, you are basically transferring funds to him without your knowledge.
Reasons/Motivations for clickjacking attacksClickjacking attacks occur for 3 major reasons:
Getting users to download malware. Gaining control over a computer or mobile device. Gaining access to peripheral hardware. Getting users to post/like/publish/follow pages, groups, etc. on social media platforms without the knowledge. Modus operandi of such attacksThe common strategies used or modus operandi of cyber-criminals to carry out clickjacking attacks are the following.
Vulnerable applications: When there are vulnerabilities in the application itself such as with the Adobe Flash player plug-in, the attackers can gain access to the hardware attached such as the camera and microphone. Transparent pages: As discussed earlier, the cyber-attacker uses vulnerabilities on the browser to embed a page that is already authenticated by the user to a malicious web page controlled by him/her. So, the attacker can selectively make some parts of the original application invisible and show the user only controlled elements like form fields, buttons and tabs that they want the user to click. javascript button: When only HTML is used, some functionalities may not be possible. So, by using JavaScript instead of only HTML, the cyber-criminals can manipulate the User Interface (UI) in myriad ways. For instance- placing a button under the user’s cursor at all times by embedding a malicious webpage on the browser so that the users are forced to make the click. iFrame Overlay: The malicious website of the attacker contains 2 parts: a code to generate fake UI and an iFrame overlay to cover a portion of the legitimate application. The cyber-criminal can make the user believe that they are using a legitimate web application by using these iFrame overlays and trick them into taking any desired action. How to prevent clickjacking attacks?Even though clickjacking may seem like irrelevant, juvenile or passive occurrences, they are not; they are malicious in intent and impact. So, you must strive towards prevention of such attacks to ensure that you do not lose money, customers and brand value.
You must ensure that your web applications are secure from vulnerabilities so that they do not allow third-parties to meddle with them. Choose an intelligent, round-the-clock, managed WAF like AppTrana that will act as your application’s wall of defense preventing malicious requests from accessing it through loopholes/vulnerabilities while also immediately patching vulnerabilities till developer fix them. It continuously monitors for threats, allows custom rules and assures zero false positives.
The other measure to take to prevent clickjacking attacks is to include X-Frame-Options HTTP headers which will ensure that your web application or its resources are not being loaded in frames or iFrames on other pages or domains.
Venkatesh Sundar
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.
