Clickjacking: How it happens and how to prevent it

What is clickjacking?

Clickjacking variations

Clickjacking attacks fall into two categories: overlay-based and non-overlay-based.

Overlay-based clickjacking attacks

In overlay-based clickjacking attacks, hackers hide original UI elements behind invisible malicious iframes. These attacks are the easiest to conceal and, therefore, the most common. Some common techniques of overlay-based attacks include:

• Cropping. The attacker tweaks a web page by cropping or positioning UI elements so that a user can see only a part of this element. This tricks users into interacting with those elements without being fully aware of what they're clicking on.
• Hidden overlay. The attacker places an opaque or nearly invisible overlay on legitimate web pages. A user clicks on a seemingly legitimate button and gets intercepted with a hidden malicious layer.
• Transparent overlay. The attacker places a transparent iframe with altered buttons over a real page. Then, an unsuspecting user clicks on a visible button, but they actually click on a hidden element, which, for example, triggers access to a webcam instead of "Liking" a Facebook page.
• Click events. The hacker hides a malicious page behind the real one and uses the cluster switch system (CSS) trick to make the original page unclickable. This sends all your clicks to the hidden page, allowing attackers to steal your login details and log your keystrokes.

Non-overlay-based clickjacking attacks

Non-overlay-based clickjacking attacks change the iframe of the main UI element instead of hiding it under a fake one. Some of the most popular non-overlay-based attacks include:

• Rapid content replacement. This attack monitors your click movements and swaps out UI elements on a web page just before you click. For example, you click the "Play" button on a video, but at the last moment, it's replaced with "Confirm payment."
• Drag-and-drop. An attacker tricks a user into dragging personal files into invisible boxes, for example. This way, an attacker can get hold of your sensitive information.
• Repositioning. In this attack, the hacker tracks the user's click movements and moves the malicious UI element under the mouse immediately before the user is about to click.
• Scrolling attacks. The attacker hides parts of a web page by scrolling them out of view. For example, they can hide a dashboard link and display a fake "Log in" button. When a user clicks on it, their action is sent to a hacker.

What is an example of clickjacking?

The attacker creates an attractive page that offers a free trip to the Maldives and makes it as enticing as possible. While on that page, the hacker checks whether you are also logged into your bank account. If so, an invisible iframe loads at the top of the booking page. You cannot see it because it's transparent, but it's a bank transfer form.

Your payment details are then automatically inserted into the form by your browser. Because you really want to get that free trip, you click on what you think is the "Book my trip" button, which is actually the payment confirmation button. The money is then wired to the hacker without your knowledge. Now, you may or may not be sent to a new page or receive an email "confirming" your booking. However, you'll likely be making a trip to your bank rather than the Maldives.

Real-life examples of clickjacking attacks

Now that you know how clickjacking attack works in theory, some real-life examples will give you an even better sense of how these attacks actually happen.

Back in 2011, attackers found a way to exploit Facebook's "Like" button using an invisible frame. They created fake sites promising viral videos or juicy celebrity gossip, but when people clicked, they actually liked a Facebook post. That post, linking to sites full of ads, then showed up on a victim's profile, spreading the scam even further. Eventually, Facebook fixed this issue by tightening its security settings.

In 2018, hackers targeted Bitcoin users with fake exchange sites that looked completely legit. They used hidden overlays to secretly swap the recipient's wallet address with their own, so when victims sent Bitcoin, it went straight to the hacker—with no way to get it back. After this, crypto platforms tightened their security by adding manual transaction confirmations and address blocklists to stop these attacks.

How to protect against clickjacking

Both websites and users can take countermeasures to prevent clickjacking. This way, even if one layer is breached, the other still keeps browsing safe.

Server-side

Clickjacking doesn't affect the website itself, but if you are a website owner, a hacker could use your content, create a lookalike website with a similar URL, and use it in a clickjacking attack. Because clickjacking attacks are based on wrapping a page in an iframe and then adding invisible elements on top of it, you need to make sure that framing is disabled to protect your site. You can do so via:

1. 1.A website can use the X-Frame Options HTTP header to determine whether the browser should allow the page to be wrapped in frame, iframe, or object tags. 
2. 2.The content security policy (CSP) HTTP headers offer a broader range of security than X-Frame Options. They let you allowlist domains that can embed pages and domains from which resources such as scripts, fonts, and images can be loaded.
3. 3.Protect against fake requests by using cross-site request forgery (CSRF) tokens to ensure only real users can make changes.
4. 4.Make sure your cross-origin resource sharing policy allows only trusted sites to interact with your website.
5. 5.Add click confirmations to avoid unauthorized actions. Ask users to confirm important actions like money transfers or password changes.

Client-side

Implement as many of the following tips into your cybersecurity routine as possible to prevent clickjacking attacks:

• Set up anti-clickjacking browser extensions. Anti-clickjacking browser extensions will prevent you from clicking on invisible or "redressed" page elements. You can try NoScript's ClearClick for Mozilla Firefox or NoClickjack if you use Chrome, Mozilla, Opera, or Microsoft Edge. The latter extension will provide you protection without interfering with legitimate iframes. Both extensions are free to use.
• Use a robust anti-malware software. A reputable antivirus and anti-malware software will protect your device from viruses, malware, ransomware, spyware, and all the sneaky tricks that hackers use to extort sensitive data or money.
• Never download suspicious apps. In some cases, clickjacking aims to trick you into downloading a malicious app onto your device. These programs will most likely display iframed input layers for you to fill out, allowing hackers to capture and steal your credentials. To protect your data, only download your software from official sources.
• Be cautious of unknown links. Some clickjacking attacks start with attackers sending out phishing links that direct users to maliciously embedded pages. Make sure that links in social media messages and emails are legitimate.
• Update your browser. Keeping your browser up to date ensures that you have modern iframe restrictions and the latest patches against known clickjacking techniques.
• Don't click on too-good-to-be-true ads. Be wary of Facebook or Google ads that offer something too good to be true or promote something that's out of the ordinary. Instead, check your facts on official sites or reputable alternative sources.
• Use multi-factor authentication (MFA). Set up MFA on your online accounts. This way, even if a hacker gets hold of your password, they cannot log into your account without your smartphone or biometrics.