Imagine you’re on a website that’s offering you a free trip to your dream holiday destination. All you need to do is fill in your details and click ‘Book now.’ You do. However, instead of a trip of a lifetime, you see that a lump sum of money has been charged from your bank account. You’ve just become the victim of clickjacking.
Clickjacking, also known as a UI redress attack, is a common hacking technique in which an attacker creates an invisible page or an HTML element that overlays the legitimate page. It’s meant to trick you into clicking on a particular button or an element on that page. In clickjacking, you may think that you’re clicking on a legitimate button, but you’re actually clicking on a transparent overlay. This transparent element might:
Clickjacking attacks also have a few variations:
The attacker creates an attractive page that offers a free trip to the Maldives and makes it as enticing as possible. While you are on that page, the hacker checks whether you are also logged into your bank account. If so, an invisible iframe loads on top of the booking page. You cannot see it because it’s transparent, but it’s a bank transfer form.
Your payment details are then automatically inserted into the form by your browser. Because you really want to get that free trip, you click on what you think is the ‘Book my trip’ button, which is actually the payment confirmation button. The money is then wired to the hacker without your knowledge. Now you may or may not be sent to a new page, or you may receive an email “confirming” your booking. However, it’s more likely you’ll be making a trip to your bank rather than the Maldives.
Clickjacking doesn’t affect the website itself, but if you do own one, a hacker could use your content, create a lookalike website with a similar URL and use it in a clickjacking attack. Because clickjacking attacks are based on wrapping a page in an iframe and then adding invisible elements on top of it, you need to make sure that framing is disabled to protect your site. You can do so via:
Clickjacking can be worrisome for users, but you can defend yourself by installing browser extensions. Some will prevent you from clicking on invisible or “redressed” page elements. You can try NoScript's ClearClick for Mozilla Firefox or NoClickjack if you use Chrome, Mozilla, Opera or Microsoft Edge. The latter extension will provide you protection without interfering with legitimate iFrames. Both extensions are free to use.
Want to read more like this?
Get the latest news and tips from NordVPN