February 24, 2021 | 8 min reading time

Anyone who’s been active online has seen ads that pop-up enticing us with free offers, either for a trip or a new phone. While we’ve seen those ads pop up, what we can’t see is that on top of them is an invisible channel that redirects to our bank account without us knowing.

That’s what clickjacking does. It’s a method to trick us into taking action online without our knowledge. Instead of getting that free trip or phone, you’ll find that a large chunk of your bank account has gone away.

While there’s little to be done after the fact, you can take measures to protect yourself from falling victim to clickjacking in the first place. Many web browsers have gotten wise to clickjacking methods and have put protections in place for their users. That’s a step in the right direction, but you can do more to ensure you’re protected further.

Some methods are simple. Don’t stay logged into your bank account or browse while it’s open. Logging out of sensitive sites every time you use them also helps. Other methods are more complicated and require you to use preventative software to protect yourself.

In this article, we’ll go over the ins and outs of clickjacking so you’ll know what it is, what it does, and most importantly, how you can protect yourself.

What Is Clickjacking

Clickjacking is a hacking technique that tricks you into clicking something on a page that’s disguising a malicious, illegitimate action instead. Also known as UI (or user interface) redressing, it refers to how hackers hide their intentions by making the page look like something else.

The transparent element on top of the page can then interact with your computer or open browser pages without your knowledge or consent. Despite you not being aware this action is occurring, to the outside world, it looks no different than your deliberate online activity. That makes it more difficult to detect and more difficult to repair in the cases where money was transferred without your knowledge.

How Does Clickjacking Work

UI redressing functions by hiding the interface that’s actually in control of the web page. This works due to the HTML frames responsible for much of web development. They allow the web page to display itself within a frame and hackers exploit that by adding CSS or JavaScript elements to it.

Adding these elements allows the page to appear safe and tricks users into visiting it by mimicking a site they trust. There is no way to tell there is a hidden element on top of it, and they interact with the page as normal. Visitors to the site, not realizing they’re vulnerable, interact with the site believing they are safe. It won’t be until later that they become aware their information was accomplishing nefarious purposes.

Clickjacking or UI redress is never the main goal. Instead, it’s a tool to achieve a different attack. They can vary in severity, whether they’re trying to steal your bank information or install malware, or simply boosting clicks on other sites or likes on Facebook.

The Dangers of Clickjacking

Clickjacking ranges from the highly dangerous to the mildly annoying. On the safer end of the spectrum, your credentials are used to boost likes or views on social media. It can also spread viruses on social media or increase clicks on ads, costing businesses ad revenue.

What more directly affects you is when clickjacking:

  • Steals your login credentials
  • Activates your computer’s webcam or microphone
  • Downloads malware to your device
  • Accesses your bank account to pay for something or transfer money

Since clickjacking doesn’t leave as many traces that fraudulent activity occurred, it makes it more difficult for you to dispute anything. That’s particularly bad for cases where money was transferred from your account.

how clickjacking affects you

Other Forms of Clickjacking

Clickjacking is used to accomplish a variety of goals, which have taken on their own sub-identities.

Likejacking

Likejacking exists primarily on social media and gets its name because of its associations with Facebook. It manipulates Like buttons to falsely increase a post’s popularity by tricking users into “Liking” pages they had not intended to.

Cursorjacking

Cursorjacking alters your cursor’s position from where you’re seeing it so that it’s somewhere else. Instead of tricking you into clicking something yourself, it guides your hand to do it instead.

This has become less common as browsers have taken measures to prevent it. It maintained some use with Firefox and Adobe Flash before the issue was resolved.

Browserless

This variety of clickjacking primarily targets mobile devices and hijacks dialog and alert notifications. It doesn’t require a browser, which is where its name comes from.

Cookie Jacking

Cookie jacking, or session hijacking, is used to steal your browser cookies. This allows the hacker to access any applications on your computer because the cookies indicate they have permission to do so. They can use it to steal data, access bank accounts, or for identity theft purposes.

File Jacking

File jacking tricks the user into connecting their browser to their server to establish access to your files. This sets up an active file server connection on your web browser to steal files with sensitive documentation in them.

Clickjacking Prevention: The 101

Although there is no complete protection against clickjacking, there are methods you can do to lower your risk of falling victim. Protections against clickjacking take two main forms and are broken down as either client-side or server-side protections.

Client-side Clickjack Protection

Simply put, client-side protections use software to prevent you from clicking on invisible page elements. These take the form of browser extensions that protect you as you exist online. They disable invisible frames or “redressed” elements so that you won’t be affected. They do so without interfering with the iFrames that are legitimate and keep the page running.

Which extension you get will depend on which browser you’re using. The common list of extensions are:

  • Scriptsafe for Chrome
  • NoScript for Firefox
  • JS Blocker for Safari
  • Opera for Microsoft Edge

Browser extensions are generally free to use and available in your browser’s app store.

Server-side Clickjack Protection

Server-side clickjack protection is done on the website itself to prevent it from being used as the basis of a clickjacking attack. The websites themselves are unaffected, since a frame is placed on top of it, but it harms the site’s reputation if it leaves visitors vulnerable. To prevent this, you can disable framing to prevent fraudulent frames from being added to your site.

Enabling these protections will keep your customers safe so they can browse in peace on your site. Not only is that good practice for everyone’s internet health, but it also ensures your site maintains a positive reputation.

Server-side protection limit what the site can access to display pages and information online. By preventing third-party or unsourced frames from appearing on the site, you can block any hackers from using your site to target people.

There are three main ways this can be done.

X-Frame Options

X-Frame Options determines how browser pages should be wrapped. They can do so using either frame, iframe, or object tags. You can allow your site to choose from three methods:

  • Deny, which won’t let the browser display pages in frames.
  • SAMEORIGIN, which only allows the browser to display pages from your current domain.
  • ALLOW-FROM tags that specify which sources frames can be displayed from. You’ll add the channel within the text to specify where the site can access frames.

Content Security Policy

The content security policy is more hands-on than X-Frame Options. You can whitelist certain domains to allow them to embed pages into your site. This gives your site access to different fonts or scripts to load and use on your site while protecting it from clickjacking.

Frame Killing

Frame killing is a little outdated but was very common for older browsers. What you did was include frame-killing Javascript into pages that you thought were vulnerable to clickjacking. It was easy to set up and blocked harmful frames from taking control of your site.

Clickjacking: A Danger that Can Be Stopped

Clickjacking can’t be entirely stopped but you can do a lot to protect yourself. In some cases, changing your log-in information or logging out of sites between uses will help curtail any fraudulent efforts. Taking additional measures to download extensions will only further protect you and keep your online identity safe.

Companies and business owners can take their own measures to design their sites with protection in mind. Blocking your site from allowing outside frames will stop clickjackers from accessing your site for any nefarious purposes.

Once you’ve fallen victim to clickjacking, there isn’t much you can do to fix the damage. From an outside perspective, it’s difficult to tell which activity was fraudulent and which was not. Prevention is the best way to save yourself the trouble. Fortunately, we’re better equipped than ever to prevent hackers from accessing our information. We only need to take the steps to keep ourselves safe. Understanding the issue and following these steps is the first thing to do to protect yourself.

And since we're clicking with this topic, you might also want to check out click fraud, a multi-billion dollar issue ClickGUARD deals with. 😉

Jason is the CMO @ ClickGUARD. He is passionate about all things PPC, SEO and has extensive customer acquisition experience. When not writing about SEM he can be found surfing the wildest ocean waves of the South American coast.