The Art of the Clickjack Attack

Clickjacking Attacks

Anytime an attack method is used via Facebook you can be assured that it will be big news so when the social network was found to be a tool used in clickjacking attacks it quickly became a topic that everyone was talking about.

On the surface clickjacking , also known as a UI redress attack, is a relatively simple attack. The attacker gets the victim to visit a web page where the code has been exploited to do something harmful.  Of course, attacks are never quite that simple.

The complexities that are involved with a clickjacking attack come from disguising the malicious intent. That is essentially where the name is derived from. The victim is tricked into clicking what they think is a harmless link, the play button on a video, a Facebook “Like” button, a Twitter follow button, etc. In actuality, the web page has another web page that is a transparent layer over the dummy page. When the victim thinks they are clicking on the valid button or link, they are actually performing the activity that the transparent page is directing their browser to do. Essentially, this attack hijacks your browser and/or computer as a result of the click – hence, clickjacking.

What Can Clickjacking Make Me Do?

The simple and honest answer to this question is: whatever the attacker programs it to do. But here are a few examples that show exactly what can happen if you fall victim to a clickjacking attack:

  • The Facebook attack

The most recent attacks involving Facebook trick the victim into watching a video. When they attempt this, the code adds “Likes” to the victim’s Facebook newsfeed in hopes that the spam is spread to the victim’s friends as well so any of the victim’s friends who also click on the link will wind up spamming everyone on their own friends list as well. This helps to perpetuate the attack.

Often times this attack is paired with having the victims fill out surveys or sending them to other sites that generate money for the attacker. The more spam they are able to send out via Clickjack attacks, the more money will potentially make.

  • The Flash attack

No these aren’t quick attacks; it targets a vulnerability in Adobe Flash and is one of the most notorious examples of Clickjacking there was. This attack was launched against the Adobe Flash plugin settings page and caused the page to load into an invisible iframe that allowed the attacker to trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer’s microphone and camera. In plain English, the attacker could sit back and watch and listen to what you were doing while in front of your computer’s camera and microphone. They didn’t even have to work for the Philadelphia school system to do this.

  • Tricking the user to take action

While these are more proof of concept attacks, they clearly show what else can be achieved by a successful clickjacking attack.

The attacker spams as many email addresses as they can with a link to a video. The victim visits the page with the video but another valid page, for example a product page on amazon.com, is hidden on top or underneath the “PLAY” button of the video. When the user presses the play button for the video he or she actually “buys” the product from Amazon.

Of course there needs to be a stored cookie for Amazon or a recent login for this to work, but if enough spam is sent out by the attacker odds are they will see some reward from this.

Thwarting Clickjacking Attacks

Facebook has made efforts to not only educate users as to the dangers of clickjacking on their network, but have also instructed users as to how they can remove the spam from their newsfeed by hovering over the right of the post in the newsfeed and clicking on the X to “Remove and unlike” them.

Another option that many people take is to install the NoScript add on for the Firefox browser. This tool only allows activity on web sites that you trust and alerts users to potential threats.

Of course, stopping clickjacking at the source is one of the best avenues to take when fighting it. Since this attack relies on victims clicking on malicious links, one of the primary delivery methods is through email spam. Effectively educating users about spam and using a proven spam fighting solution will go a long way in stopping clickjacking attacks against your users.

Written by Jeff

1 Comment

  1. John Grunwald · May 20, 2011

    It takes all kinds, they say, and that surely applies to spammers as well. Nobody would try a certain kind of spam if somebody didn’t already make a killing off of it. The frustrating part is getting somebody who doesn’t want to take the time to say, add the NoScript add-on and calibrate their settings to run correctly and safely. Not that it is a time-consuming endeavor, but for as much as people click bad links, some don’t want to be bothered by a prompt trying to protect them. Such a shame.

Leave A Reply