When we discuss the way that cyber criminals access your computer, the following spring to mind: DDos attacks; phishing; Firewall vulnerabilities; SQL injections. One form of attack that doesn't get so much hype but is just as dangerous as any other, is Clickjacking.
Clickjacking aka UI Redress is where a hacker makes you inadvertently click on the wrong page. It was initially just used as a black hat SEO trick to gain followers and artificially bump up site visits. It works by basically getting an internet user to click on a hidden link which will follow through to a different site destination.
[Cyberhub Summit is Coming back to Atlanta, Ga | October 9-10, 2018 - Cyber Security education for executives and business owners and Powerful Networking. | Get the latest from Cyberhub Summit by signing up for their newsletters. ]
This all sounds annoying, but not necessarily highly dangerous, the illegitimate click baiters will gain revenue dishonestly because you clicked, usually on App downloads or through torrent sites, and you were inconvenienced. The user then curses the site he has landed on and moves on.
There are several uses for Click jacking which are very dangerous. To understand Click jacking a little better, carry on reading and be more prepared with more Cyber awareness.
What do Click Jackers want?
Click Jackers want to:
Gain personal details such as login details.
By placing a fake login box over the real log in, Cyber criminals can harvest login IDs and then either sell them or use them at a later date.
Get access to your webcam and microphone
Remember to tape your webcam. If a Click jacker has managed to get you to turn your web-cam on by creating invisible spaces on part of your Adobe flash settings page.
Spread worms on social media sites like Twitter and Facebook and spread malware by getting users to download malicious links.
Yes, that's right, this is another effective way to get your computer infected by a 'trojan" style worm. Through diverting users to invisible malicious links in web widgets or by the Autofill button, such as the one on LinkedIn which distributed visitor's information to third party websites, a user could download a harmful virus without any awareness at all.
Clickjacking in Action
Just imagine that a cybercriminal has developed a website that says 'Click for $1000'. The unsuspecting user may think, why not, what could happen? What the user doesn’t know is that layered over that web page, is an iframe of your email account with a delete all messages button on top of the "Click for $1000'. The attack has hijacked the click for their own malicious purposes.
Ways to avoid Clickjacking
Legitimate websites have begun the long battle against the hackers by asking for extra user interactions, such as opening a new window or adding a confirm button before an action is taken, so more than one click is required.
Site owners can employ X-Frame-Options on their website. The two most popular ways to apply this is through X-Frame-Options: Deny and X-Frame-Options: SameOrigin. If you aren't already protected in this way, its time to get on board and make your next click that much safer.