What Is Clickjacking? How Does It Work?

Clickjacking is a serious threat to web security that can compromise user privacy, data integrity, and system functionality. The term “clickjacking” was coined by security researchers Robert Hansen and Jeremiah Grossman in 2008, but the technique has been known since at least 2002. 

Clickjacking is also known as UI redress attack or UI redressing, because it involves manipulating the user interface (UI) of a web page to trick users into performing actions they did not intend to.

Clickjacking can have serious consequences for both users and web applications. For example, it can be used to:

– Steal user credentials or sensitive information

– Download malware or unwanted software

– Transfer money or purchase products online

– Like or share content on social media platforms

– Change user settings or preferences

– Grant access to device features such as camera or microphone

Protect your organization from browser-based attacks. Get advanced browser  security, here. 

In this article, we will explore how clickjacking works, what types of attacks are possible, some real-world examples of clickjacking incidents, and how to prevent or mitigate clickjacking attacks.

This is part of a series of articles about Cybersecurity.

How Does Clickjacking Work?

Clickjacking is an attack that tricks a user into clicking on a webpage element which is invisible or disguised as another element. This can cause users to unwittingly perform actions on another web page or application, most likely owned by another domain or attacker.

Clickjacking exploits the fact that web browsers allow web pages to be embedded inside other web pages using HTML elements such as <iframe>, <frame>, <object>, <embed>, etc. These elements can display content from different sources within the same browser window. 

However, if an attacker can control the content of one of these elements (e.g., by hosting it on their own server), they can overlay it on top of another web page (e.g., by using CSS properties such as position , opacity , z-index , etc.), making it invisible or partially visible to the user. 

The attacker can then align the clickable elements of their embedded page (e.g., buttons, links, forms, etc.) with the visible elements of the underlying page (e.g., images, text boxes , headlines , etc.), creating a false impression for the user.

When the user interacts with the visible elements of the underlying page (e.g., by clicking on them), they are actually interacting with the invisible elements of the embedded page. Thus, the attacker hijacks their clicks and redirects them to perform actions on their behalf.

Types of Clickjacking 

There are many variations of clickjacking attacks that target different aspects of user interaction and web functionality. Here are some common types:

Likejacking: This type of attack manipulates the Facebook “Like” button to make users like pages or posts they did not intend to like. For example, an attacker could create a fake video player with an invisible “Like” button over the play button. When users try to play the video, they actually like the attacker’s page or post.

Cursorjacking: This type of attack changes the position of the cursor for what the user perceives to another position. For example, an attacker could use Flash or JavaScript to move the cursor image away from its actual location and make it appear somewhere else on the screen. When users try to click on something with their mouse pointer (which is actually not where they think it is), they end up clicking on something else controlled by the attacker.

Download hijacking: This type of attack tricks users into downloading malicious files by disguising them as legitimate ones. For example, an attacker could create a fake download link with an invisible iframe that loads another website with a real download link over it. When users try to download something from the fake link (which looks like it belongs to a trusted source), they actually download something from the other website (which could be malware).

Form hijacking: This type of attack steals user input data by overlaying an invisible form over another visible form. For example, an attacker could create a fake login form with an invisible iframe that loads another website’s login form over it. When users try to log in using

The fake form (which looks like it belongs to their intended website), they actually send their credentials to the other website (which could be phishing).

Protect your organization from browser-based attacks. Get advanced browser  security, here. 

A Real-World Case Study

In December 2022, a clickjacking scam was discovered by researchers. It was an advertising fraud scheme that utilized Google Ads and “pop-unders” on adult websites that generated millions of ad impressions on stolen content. The campaign was reported by Malwarebytes and the scam raked in an estimated $275,000 per month for the perpetrators.

How did it work?

  • The scammer created fake blogs and news portals with scraped content from other websites and used them as pop-under advertisements.
  • Instead of displaying the content of the fake page, they overlaid an iframe promoting an adult site.
  • To collect revenue from these pop-unders, the perpetrators used a Google Ad scheme.
  • A click anywhere on the iframe page triggers a real click on a Google Ad embedded in the fake news page.

How to Prevent Clickjacking Scams with Perception Point

To prevent clickjacking attacks, there are several methods that can be applied at both the server side, the app side, and the browser side. 

At the server side, one of the most effective methods is to send proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. 

Alternatively, older browsers can use X-Frame-Options HTTP headers for graceful degradation. Another server-side method is to set authentication cookies with SameSite=Strict (or Lax) attribute, unless they explicitly need None (which is rare).

At the app frontend side, developers can employ defensive code in the UI to ensure that the current frame is the most top level window. This can be done by using JavaScript code that checks if window.top === window.self and redirects or alerts the user if not.

At the browser side, one of the best methods is to use browser add-ons that can detect and prevent clickjacking attempts – ensuring users don’t click on invisible or “redressed” web page elements.

Perception Point Advanced Browser Security adds enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.

By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.

An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency. 

Contact us for a demo of the Advanced Browser Security solution.

Protect your organization from browser-based attacks. Get advanced browser  security, here.