A clickjack attack, sometimes referred to simply as “clickjacking,” is a type of cyberattack that manipulates users into clicking a malicious link, whether to download malware, provide personally identifiable information (PII), transfer money, or purchase an online product.
Safeguard your organization’s data and reputation with NinjaOne.
How does a clickjack attack work?
Typically, a clickjack attack starts by displaying an invisible page or HTML element over a screen. A threat actor uses multiple transparent or opaque layers to trick users into clicking this invisible screen rather than the intended one, resulting in a click “hijack” where you are routed to another page. While most clickjack attacks lead to a malicious page, they can sometimes be used to go to another legitimate page that you never wanted to visit. Some examples include:
- Likejacking: This happens when a bad actor clickjacks a Facebook “Like” button so that you inadvertently “like” a page you didn’t mean to.
- Cursorjacking: This occurs when your perception of where your cursor is actually different from its actual position. This relies on certain vulnerabilities on tools like Flash or the Firefox browser.
Note: While clickjacking can initially look like spoofing—where a bad actor recreates websites to trick users into believing a fake page is a legitimate one—a clickjack attack is much more sophisticated. A clickjacking victim is looking at the real website of a known and legitimate entity; however, a cybercriminal has added an additional invisible layer over its content using various HTML technologies.
Clickjacking in the news
Because a clickjack attack is not your “typical” cybersecurity concern, most people remain unaware of it. This may explain why many clickjacking attacks have occurred on Facebook, where many users tend to click on provocative titles without first considering their validity.
For example, in a recent Dark Reading article, a new clickjacking worm attack was noticed after multiple users were redirected to a malicious page after clicking on a link that supposedly would lead them to “101 Hottest Women in the World”. After clicking on a picture of actress Jessica Alba, users were suddenly redirected to another completely different and unrelated website.
This sparked another massive debate on the level and robustness of Facebook’s security, especially for clickjacking—an issue, interestingly enough, that has been going on since 2018.
Yet, arguably, the most notorious example of a clickjack attack was the incident with the Adobe Flash plugin settings page. According to users, a clickjack attack tricked them into accidentally modifying their Flash security settings, permitting malicious actors to use their computer’s microphone and camera.
Protecting against a clickjack attack
It’s worth noting that there is no fail-proof way to prevent clickjacking, but there are strategies to reduce their risk in your IT network.
The simplest one is to use the X-Frame-Options response header, which is part of the HTTP response of a webpage. The X-Frame-Options header indicates whether a browser can render a page inside a <FRAME> or <IFRAME>.
There are three types of values allowed for the X-Frame-Options header:
- DENY: This does not allow any domain to display a page within a frame.
- SAMEORIGIN: This allows the current page to be displayed in a frame on another page.
- ALLOW FROM URI: This allows the current page to be displayed in a frame, but only in a specific URI.
Developers can prevent a clickjack attack using the SAMEORIGIN option.
To determine which option is most suitable for you, we recommend first checking if your site is vulnerable to clickjacking by following the steps in the OWASP Testing Guide.
How NinjaOne can help minimize clickjacking risk
NinjaOne Protect is an all-in-one ransomware protection, response, and recovery software. It goes beyond traditional antivirus and provides a holistic and comprehensive tool to defend your managed environments and improve your response speed and resiliency.
If you’re ready, request a free quote, sign up for a 14-day free trial, or watch a demo.
