They can’t be seen, they can’t be reasoned with, and they want to jack your clicks. Clickjackers have been around since about 2008 but they are getting a lot more press lately thanks to a new wave of clickjacking attacks perpetrated against Facebook users.
What is Clickjacking?
It may sound like the latest underground dance craze, but it’s far from it. Clickjacking occurs when a scam artist or other internet-based bad guy places an invisible button or other user interface element over top of a seemingly innocent web page button or interface element using a transparency layer (which you can’t see).
The innocent web page might have a button which reads: "Click here to see a video of a fluffy kitty being cute and adorable", but hidden on top of that button is an invisible button that is actually a link to something that you would not otherwise want to click on, such as a button that:
- Tricks you into changing privacy settings on your Facebook account
- Tricks you into "liking" something you wouldn’t normally like (a.k.a Likejacking)
- Tricks you into adding yourself as a Twitter follower for someone who doesn’t deserve you
- Tricks you into enabling something on your computer (such as a microphone or camera)
- Tricks you into running into a crowded theater and shouting "Shih Tzu" at the top of your lungs.
Many times the clickjacker will load up a legitimate website in a frame and then overlay their invisible buttons on top of the real site.
How can you prevent your clicks from being clickjacked?
1. Update your Internet browser and plug-ins such as Flash
If you haven’t updated your browser to the latest and greatest version available, then you are not only missing out on an upgrade that might possibly prevent you from getting clickjacked, but you are also not taking advantage of the other security updates that are part of newer versions of Firefox, IE, Chrome and other Internet browsers.
You should also update browser plug-ins such as Flash because some older versions may be vulnerable to clickjacking attacks.
2. Download Clickjacking Detection / Prevention Software
While some Internet browsers offer limited built-in protection, there are several robust detection/prevention plug-ins that are available for browsers such as Firefox. Several of them are even free. Here are a couple of the more widely known and respected ones:
- NoScript – A free (donation-ware) anti-clickjacking plug-in for Firefox.
- Comitari Web Protection Suite-Home LE (Limited Edition) – A feature-limited free version of the Comitari Web Protection Suite. The LE version includes clickjacking protection features.
Clickjacking prevention is not only the responsibility of the user. Websites and web application developers also have a role in preventing their content from being exploited by clickjackers. The Code Secure Blog has some excellent suggestions on how to write code to assist in the detection and prevention of clickjacking.