Cyber attackers are continuously cultivating their methods to evade detection. Now, they can cloak a seemingly innocuous webpage with an invisible layer containing malicious links. This method of attack, known as clickjacking, could cause you to activate your webcam or transfer money from your bank account.
Clickjacking (or click hijacking) is a type of cyber attack where an unseen malicious link is placed over a website’s user interface. Because clickjacking occurs on an invisible iframe layer loaded on top of a legitimate page, visitors usually cannot identify when a clickjacking attack is taking place.
There are two victims in a clickjacking attack – the host website and the visitor. The host website is used as a platform to facilitate the clickjacking attack, and the visitor becomes a victim to the specific intention of the attack.
Some common types of clickjacking attacks include:
- Login credential theft
- Webcam or microphone activation
- Invitation of malware downloads
- Authorization of money transfers
- Unsolicited product purchases
- Identifying your location
Clickjacking intentions are not limited to this list. Because user interfaces can be cloaked with any type of link (UI redressing), the destructive options are limitless.
Clickjacking Example
Clickjacking allows a hacker to insert an invisible user interface layer between your fingertip and what you see on your device’s screen. You may think you’re viewing the bank’s display after entering your ID and password, but what you actually see is a replica of the same screen laid on top of the bank’s real information. When you enter your private information, the data doesn’t go to the bank for verification, it instead goes to the file servers the cybercriminals maintain to steal account access information.
How to Defend Against Clickjacking
One of the most common ways clickjacking software gets on devices is through targeted emails. Watch out for emails that arrive in your inbox claiming to address an urgent matter requiring your attention. These emails require you to click a link, and that link could take you to a website that looks identical to your banking or other official website to fool you into downloading the latest version of the institution’s app or filling out profile information.
If the goal of clickjacking is to get you to download an app, the app is probably malware that captures and steals all your credentials. In other cases, the website itself could be the source of the malware that sneaks onto your device. Regardless of how it happens, the malware presents false input layers for you to fill out. It’s also important to avoid clicking on ads on Google or Facebook that offer something too good to be true or promote news or stories that seem out of the ordinary. In some cases, clicking on these items could take you to a website that downloads clickjacking software onto your computer. Instead, look for the news on an alternative channel, such as a reputable, long-standing newspaper. If the news is real, it won’t be hard to find on valid outlets.
Here’s how to prevent a clickjacking attack:
- Watch for emails claiming to address an urgent matter
- Do not click any suspicious links
- Do not download any suspicious apps
- Avoid clicking on too-good-to-be-true Google or Facebook ads
- Always download apps from authorized app libraries