A malicious form of website manipulation, clickjacking fools a user into clicking on a disguised or invisible element. The link may look attractive or harmless, but it can download malware or take the user to a fraudulent site where they may divulge sensitive data. These links also result in fraudulent money transfers or transfer to bogus e-commerce sites.

Clickjackers usually hide an invisible page or HTML element inside an inline frame (iframe) overlayed on the visible page. A user tries to click on the item he sees, but he actually clicks on the invisible iframe on top of it. The disguised element could either be malicious or legitimate. On a banking site, it could trick the user into transferring money. For example:

  1. A hacker advertises a free Ipad while he’s monitoring the victim’s web activity. 
  2. If the mark has logged into his bank’s website, the hacker loads the fund transfer screen in an invisible iframe on top of the phony free Ipad page. 
  3. The hacker uses query parameters to direct the bank transfer to his own account. 
  4. When the user tries to click on the “Accept Your Free Ipad” icon, he’s actually clicking on the invisible “Confirm Transfer” button. 
  5. Though the click redirects the user to another page about his new Ipad, in reality, he also just transferred money to the hacker. 

Other clickjacking techniques include:

  • Cursorjacking. Through user interface redressing, cursorjacking alters the position of the cursor. The user thinks he’s clicking on one thing, but the cursor is actually in a different spot. There were vulnerabilities in Flash and Firefox that made this process easy, but those have been corrected.
  • Lifehacking. Hackers manipulated the like button on Facebook to trick users into liking something they didn’t like. 

Clickjacking Defense

While clickjacking has become a standard method for hacking, there are two reliable methods of defense:

  • Client-side. An easily bypassed defense, client-side methods mostly use Frame Busting to protect against clickjacking. It’s only marginally effective and not recommended.
  • Server-side. Usually employing X-Frame-Options, security experts recommend server-side methods as the best defense against clickjacking.