Two laptop screens displaying a $ sign.
ClickJacking also known as UI redressing, is an interface-based attack where a user is tricked into clicking on different parts of a website or application that contains malicious content.
ClickJacking is a prevalent type of attack hackers use to get information from users. It could be seen on social media websites such as Facebook or Instagram where someone shared a link to something that interests you, such as a funny video or a recipe. It could also be through LinkedIn, where someone sends a link to sign up for an online class, and because of this, the attacker can steal all the user’s personal information.
Since the pandemic, many people have become very comfortable with technology, making it easier for people to be careful on websites with high traffic, such as social media, YouTube, and Wikipedia. However, this can also occur in emails or text messages on different platforms on your phone and IoT devices. It only takes one or two clicks for attackers to strike and take hold of a machine.
How? You might ask. Good question.
Attackers who use such attacks try to cover the decoy or fake website with the natural-looking website on top. By doing so, someone simply looking at the website will not be able to. In this fake website, the attacker can mask buttons and other UI features on the website to what “should” be there, making the website seem like the website that you are supposed to be on makes it very easy for the attackers to gain the user’s trust and gather information from them.
Some of the standard methods of gathering user information are through:
- login credentials
- accessing the webcam and microphone on your device
- tracking your location
These are the most common methods that hopefully many people are aware of and, if not, should be. However, there are always new ways for attackers to be able to gain access to unauthorized devices. One example of this is pre-filled forms. Pre-filled forms are a convenient technique for many people who can safely use this tool. It helps save time without having to re-type the same information repeatedly. Unfortunately, attackers can exploit this tool by asking the user to enter data in a form before being able to click the hidden submit button.
What can I do to protect myself?
Now the best way to protect yourself against such attacks is relatively simple. The first would be to make sure to NEVER click on links that you are not sure of or are sent to you suddenly. For instance, if a friend you talked with two days ago without mentioning sends you a random link, then don’t click on it. Make sure to separately talk or message them to confirm that it was from them themselves. Secondly, make sure at the bottom of the page to keep your devices and specifically your default browser updated so that software built to protect users are there to protect you and browse safely.
Overall, clickjacking is a direct attack for many attackers to gather personal information about the user; however, it is also easily preventable if people take the time to make sure they are clicking on reliable links.