The Art of the Clickjack AttackWritten by Jeff on May 20, 2011
Anytime an attack method is used via Facebook you can be assured that it will be big news so when the social network was found to be a tool used in clickjacking attacks it quickly became a topic that everyone was talking about.
On the surface clickjacking , also known as a UI redress attack, is a relatively simple attack. The attacker gets the victim to visit a web page where the code has been exploited to do something harmful. Of course, attacks are never quite that simple.
The complexities that are involved with a clickjacking attack come from disguising the malicious intent. That is essentially where the name is derived from. The victim is tricked into clicking what they think is a harmless link, the play button on a video, a Facebook “Like” button, a Twitter follow button, etc. In actuality, the web page has another web page that is a transparent layer over the dummy page. When the victim thinks they are clicking on the valid button or link, they are actually performing the activity that the transparent page is directing their browser to do. Essentially, this attack hijacks your browser and/or computer as a result of the click – hence, clickjacking.
What Can Clickjacking Make Me Do?
The simple and honest answer to this question is: whatever the attacker programs it to do. But here are a few examples that show exactly what can happen if you fall victim to a clickjacking attack:
- The Facebook attack
The most recent attacks involving Facebook trick the victim into watching a video. When they attempt this, the code adds “Likes” to the victim’s Facebook newsfeed in hopes that the spam is spread to the victim’s friends as well so any of the victim’s friends who also click on the link will wind up spamming everyone on their own friends list as well. This helps to perpetuate the attack.
Often times this attack is paired with having the victims fill out surveys or sending them to other sites that generate money for the attacker. The more spam they are able to send out via Clickjack attacks, the more money will potentially make.
- The Flash attack
No these aren’t quick attacks; it targets a vulnerability in Adobe Flash and is one of the most notorious examples of Clickjacking there was. This attack was launched against the Adobe Flash plugin settings page and caused the page to load into an invisible iframe that allowed the attacker to trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer’s microphone and camera. In plain English, the attacker could sit back and watch and listen to what you were doing while in front of your computer’s camera and microphone. They didn’t even have to work for the Philadelphia school system to do this.
- Tricking the user to take action
While these are more proof of concept attacks, they clearly show what else can be achieved by a successful clickjacking attack.
The attacker spams as many email addresses as they can with a link to a video. The victim visits the page with the video but another valid page, for example a product page on amazon.com, is hidden on top or underneath the “PLAY” button of the video. When the user presses the play button for the video he or she actually “buys” the product from Amazon.
Of course there needs to be a stored cookie for Amazon or a recent login for this to work, but if enough spam is sent out by the attacker odds are they will see some reward from this.
Thwarting Clickjacking Attacks
Facebook has made efforts to not only educate users as to the dangers of clickjacking on their network, but have also instructed users as to how they can remove the spam from their newsfeed by hovering over the right of the post in the newsfeed and clicking on the X to “Remove and unlike” them.
Another option that many people take is to install the NoScript add on for the Firefox browser. This tool only allows activity on web sites that you trust and alerts users to potential threats.
Of course, stopping clickjacking at the source is one of the best avenues to take when fighting it. Since this attack relies on victims clicking on malicious links, one of the primary delivery methods is through email spam. Effectively educating users about spam and using a proven spam fighting solution will go a long way in stopping clickjacking attacks against your users.