The internet and technology have revolutionized not just our lives but those of cyber-criminals as well. They have also been leveraging the advent in technology to find new and innovative ways to orchestrate hacks, malicious attacks, breaches and so on. Adding to the long list of cyber-attacks such as online scams, SQL Injections, DDoS attacks, phishing, etc. aimed at trapping unsuspecting victims is clickjacking. So, let us delve deeper into what clickjacking is all about and how to secure one’s clients/customers/users from it.Introduction to clickjacking
Most of us would know how a hijacking happens, either from the news or the movies. Unsuspecting victims board their flight to land at their chosen destination. But mid-air, armed attackers take over or hijack the flight to accomplish their objectives by using the innocent co-passengers as pawns. Clickjacking is similar to hijacking; the flight, in this case, are the clicks, the hijackers are cyber-criminals and hackers and the mission is to hijack the click made on a specific page by the unsuspecting victim to another page in order to steal their credentials or finances or other such malicious goals.
Technically speaking, clickjacking is also known as the UI redress attack. It is the kind of cyber-attack where the attackers take advantage of a vulnerability in the UI or webpage to edit it and add multiple transparent and opaque layers over it in such a manner that it looks like a legitimate website or webpage. However, when the user clicks on specific links or buttons on the page, their click is hijacked, and they are routed to and are interacting with a completely different website. Clickjacking is one of the easiest cyber-attacks to orchestrate and quite passive, but their intent is malicious and impact is heavy.
For example-A cyber-attacker has placed a free iPhone button on a webpage and layered a webpage you use on top of it. He has linked the free iPhone button to the fund transfer button in your bank account and when you click on this button, you are basically transferring funds to him without your knowledge.Reasons/Motivations for clickjacking attacks
Clickjacking attacks occur for 3 major reasons:Getting users to download malware. Gaining control over a computer or mobile device. Gaining access to peripheral hardware. Getting users to post/like/publish/follow pages, groups, etc. on social media platforms without the knowledge. Modus operandi of such attacks
Even though clickjacking may seem like irrelevant, juvenile or passive occurrences, they are not; they are malicious in intent and impact. So, you must strive towards prevention of such attacks to ensure that you do not lose money, customers and brand value.
You must ensure that your web applications are secure from vulnerabilities so that they do not allow third-parties to meddle with them. Choose an intelligent, round-the-clock, managed WAF like AppTrana that will act as your application’s wall of defense preventing malicious requests from accessing it through loopholes/vulnerabilities while also immediately patching vulnerabilities till developer fix them. It continuously monitors for threats, allows custom rules and assures zero false positives.
The other measure to take to prevent clickjacking attacks is to include X-Frame-Options HTTP headers which will ensure that your web application or its resources are not being loaded in frames or iFrames on other pages or domains.
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.