Clickjacking tricks unsuspecting people into clicking links they think are harmless—but then downloads malware, harvests credentials, and takes over online accounts. Unfortunately, clickjacking malware can dodge security protections, but there are ways to protect yourself.
What Is Clickjacking?
Also known as UI redress attack or user interface (UI) overlay attack, clickjacking is a form of interface-based attack that manipulates users into clicking buttons or links disguised as something else.
Unlike website spoofing, where victims are taken to a spoofed website designed to mimic a legitimate company’s site, clickjacking takes users to the real website. However, attackers create an invisible overlay on top of the legitimate website using HTML tools like cascading style sheets (CSS) and iframes.
The invisible layer is made using iframes, an HTML element used to embed a webpage or HTML document into another. It is transparent, so it still looks like you’re interacting with a legitimate webpage. However, if you click the button on the legitimate site, play a game, or perform a task you think is harmless, those clicks are applied to the invisible site on top. The clicks give hackers access to your accounts, allow them to download malware, take over your devices, and perform other nefarious activities.
Sometimes, attackers disguised as marketers trick users into liking a social media page or post. This attack is called likejacking. Attackers send users an interesting video or a “special offer,” and clicking “play” or interacting with the content will make the user unknowingly click a hidden like button.
Another version of clickjacking, called cursor-jacking, tricks users with a custom cursor that clicks on links or parts of a website the user didn’t intend to interact with.
A more advanced variation of clickjacking called double clickjacking exploits the timing and sequence of a user’s double clicks.
How Doublejacking Bypasses Clickjacking Protections
Many modern web browsers have mitigated clickjacking with security defenses. However, a sophisticated version called “double clickjacking” can circumvent traditional protections by exploiting the sequence between two clicks to take over an account or make unauthorized actions.
In a double clickjacking attack, malicious elements are inserted between the user’s first and second clicks. You’re first taken to an attacker-controlled site and given a prompt, like solving a CAPTCHA or double-clicking a button to authorize an action. The first click closes or changes the top window (the CAPTCHA overlay), causing the second click to land on an authorization button or link previously hidden. The second click authorizes malicious plug-ins, causing an OAuth application to connect to your account, or approves a multi-factor authentication prompt.
What You Can Do to Protect Yourself
Clickjacking techniques are tricky and designed to confuse you to steal your clicks, but you can do a few things to protect yourself.
- Keep your device and browser up to date. Watch out for security patches and software updates and install them as soon as they become available. Engineers regularly release patches to address security vulnerabilities and protect users from new attacks.
- Be suspicious of prompts that require double clicks, especially on websites you are not familiar with.
- Always double-check the URL of the websites that you visit. Attackers can use typosquatting to buy a version of a legitimate domain with very subtle differences, like an extra “a” or a hyphen inserted into the domain, like “ama-zon.com,” for example.
- Avoid clicking links when you are not sure about the source. You can use a website link checker to see if the link is safe.
Attackers often exploit your trust in legitimate sites and basic actions we normally do without thinking, like double-clicking. It’s always important to slow down and think before you click to protect yourself.
