Oct17
8:18 pm (UTC-7)   |   by Jovi Umawing (Technical Communications)

Perhaps everybody concerned about online security has heard of clickjacking. This cyber-buzzword had been disclosed in the last week of September, and it remains hot until now. Experts are quite forceful in harping about how scary this new form of cyber-jacking is, and the lot of us perhaps are still lost — if not confused or complacent — as to what it can really do, why one should be aware of clickjacking and what we can do to protect ourselves.

Clickjacking, simply put, is stealing mouse cursor clicks from users. In this type of attack, the malicious user is able to take control of the links that a user may connect to while they are within a malicious domain.

For example, a hacker sets up a site we name Site A. Site A is actually a cover for certain parts of Site B (a legitimate site the user is a member of). Interaction with Site A is set up such that users clicking on any button on Site A is actually clicking on the, say, “Delete All Files” in Site B. The user does not know this.

In a more critical example—and suggesting how these attacks can remain persistent once initiated—the Flash Security Settings Manager can also be modified to turn off security settings in Flash. (And these are just two versions of dozens others).

Regarding clickjacking there are three significant points that need to be considered:

  • Clickjacking techniques are used with little or no leniency since clickjacks can take control of how users navigate within the page by, say, making bogus all links in certain a Web page. Consequently users are allowed to click on any link they feel lured to but the clickjacks still end up directing them where hackers want them to.
  • Clickjacks can use any form of link (image link in the form of buttons or text link) to pull users to click on them. Sad part is that no user would even know that they are already within a hijacked page. Only web security/reputation services would be able to block the bad pages.
  • Lastly — and perhaps the most diabolic — is that clickjacks techniques have made the exploit adaptable in certain situations.
    For example, in case user’s browser had been set to block out JavaScript execution, other methods take in place, such as using iFrames, to harvest user’s click actions

Security Researcher and WhiteHat CTO Jeremiah Grossman, one of the discoverers of this exploit, stated that:

    “Everyone including browser vendors, Adobe (plus other plug-in vendors), website owners (framebusting code) and web users (NoScript) all need their own solutions to assist incase the other don’t do enough or anything at all.”

Robert “Rsnake” Hansen, the co-revealer of clickjacking also recommends to set browser’s configuration to “Plugins|Forbid IFRAME” and to install NoScript widget as a good defense combination against clickjacking attacks. NoScript – a Firefox add-on introduces the feature called ClearClick – where whenever the user clicks or interacts through the mouse or keyboard with a hidden element, NoScript prevents the interaction from completing and reveals the real destination in “clear.”
At that point the user can evaluate if the click target was actually the intended one, and decide to keep it locked or unlock it for free interaction.

IMPORTANT: Adobe issued a workaround for this critical security issue. The solution can be found on Adobe’s Security Advisories page.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Friday, October 17th, 2008 at 8:18 pm and is filed under Malware . You can leave a response, or trackback from your own site.



Leave a Reply

You must be logged in to post a comment.


Net Monitoring Spam Uses Old Whitespace Padding Trick
Belated Odinga Campaign


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 

 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice