Introduction
Organizations spend a lot of time and money training their employees how to recognize and react to cyber threats when they spot one in their system. Security awareness training has become more important than ever as many people started working from home and cybercriminals honed their craft. While you’ve been preparing phishing tests to send out, though, this doesn’t prepare employees for the unfortunate circumstance where someone successfully tricks them into giving out private information without them even noticing.
It can happen in a few ways, one of which is called clickjacking. By changing the interface of a website without any visible sign, users will input their own private credentials without knowing it’s going directly into a cybercriminal’s hands.
What is Clickjacking?
Say you’re logging into your work accounts like you do every morning, and decide to check your email first. You enter your email address and password into what appears to be the regular welcome screen and text boxes. Little do you know that a cybercriminal is secretly capturing all that information to peruse remotely. Later, when you’re not in the office, they can log back in using the credentials that you unknowingly handed over and read all of your company correspondence. They can even log into other accounts if you use the same password as the one that was compromised.
With clickjacking, a hidden website or login box is rendered on top of where the legitimate content typically goes. Frequent visitors of the site therefore see nothing wrong when they go to enter their information. Then hackers can:
- Steal login info
- Turn on your webcam or microphone remotely to eavesdrop
- Spread worms or malware to your friend’s list
- Promote scams and send phishing messages using your legitimate profile
The goal might be to steal, damage property and/or to spread cyber threats as far as they can go. Once they breach your account, they can send phishing messages or steal whatever information they can find.
Types of Clickjacking You May Encounter
Even with all the security defenses we have available today, nearly 30% are still vulnerable to clickjacking attacks. That’s a significant risk to the average business.
The following are all types of clickjacking that you may encounter as a threat to your cybersecurity:
- Cookiejacking – Capturing your cookies so as to expose saved credentials
- Nested clickjacking – Also known as UI redressing, this injects malicious frames between two otherwise harmless frames on the page to avoid browser detection
- Likejacking – Specific to Facebook, this refers to layering invisible pages over seemingly-normal Facebook pages that “Like” the page and spread spam, no matter where you click
- Cursorjacking – A false mouse is displayed on the web page to convince the user nothing is wrong, while their real mouse is positioned to click on invisible, malicious content
All of the above forms of clickjacking are dangerous to your own and customers’ information. Employ adequate site and browser protection to prevent these trusted webpages from becoming compromised.
Conclusion
Because this type of threat is designed to be hard to detect, users will have a hard time avoiding clickjacking attacks all by themselves. Web developers need to be careful when designing a secure website that will guarantee the continued safety of its user base, even against invisible threats.
Understanding the risks to your assets is the first step to defending against cyber criminal activity. Content Security Policies, Javascript protocol and X-frame options are all ways for developers to better protect their websites, along with others. Keep up-to-date with evolving cybersecurity regulations and trends to ensure that you’re protecting your user base to the absolute best of your ability.
References
- https://www.sophos.com/en-us/security-news-trends/security-trends/what-is-likejacking
- https://www.pcworld.com/article/491899
- https://dev.to/hamiecod/clickjacking-explained-4fd3
- https://resources.infosecinstitute.com/topic/bypassing-same-origin-policy-part-3-clickjacking-cursorjacking-filejacking/
- https://www.upguard.com/blog/what-is-clickjacking#toc-2
- https://www.itworldcanada.com/article/many-canadian-u-s-smb-websites-vulnerable-to-spoofing-clickjacking-and-sniffing-says-vendor/470672
