Blog

The active data protection technologies development gives rise to the active development and improvement of cybercriminal methods. Criminals use sophisticated methods to go unnoticed and achieve their goals. For example, hackers can use clickjacking to force a user to activate a webcam or transfer money from their own bank account to an attacker’s account.

Clickjacking is a type of cyberattack in which an attacker places an invisible link over web content. Hackers hide the button in a transparent iframe, that allows them to remain invisible. Typically, users can’t determine that a clickjacking attack is occurring. Users, thinking that they are pressing a button that they see with their own eyes, actually fall into a trap prepared by an attacker.

The most common goals for clickjacking are:

• Theft of login credentials;
• Activation of the webcam or microphone;
• Downloading malware;
• Authorization of money transfers;
• Making unwanted purchases;
• Location determination;

This list is not limited to just these examples as the destructive possibilities are endless.

Examples of clickjacking

Money Transfer Fraud: an attacker tricks a user into clicking a link on a malicious page that authorizes the transfer of funds from the user’s bank account. Usually the site with the link contains an attractive offer (gift, discount, etc.). The victim loads the site, clicks a button to receive a «gift» and thereby authorizes the transfer of their funds. If the victim entered his bank account at that time, his/her money will be instantly transferred to the attacker’s account. The transfer of money takes place in the background while the victim is redirected to a page with additional information about the «gift».

Webcam and/or Microphone Activation: In this attack, Adobe Flash users’ settings are silently downloaded from a different link. By clicking on a malicious link, the user changes their settings. This allows attackers to gain access to the camera and microphone.

Likejacking is an attack using «likes». Users are tricked into liking a Facebook page. By clicking on the «Like» button, the user clicks on the link inserted by the attackers. For a «successful» attack the user must log into their account when clicking on the link. Social media accounts are vulnerable to clickjacking. So, in 2009 Twitter was the victim of a successful attack known as the «tweet bomb».

Malware download: An attacker initiates a malware download when a user clicks on a link. Such software can damage system software or create conditions for persistent threats.

Clickjacking protection tools

1. Content-Security-Policy (CSP)
2. X-Frame-Options
3. Framebusting