Clickjacking has been around for a long time, working hand-in-hand with the unwitting person doing the clicking to send them to parts unknown—often at the expense of site owners. Scammers achieve this by hiding the page object the victim thinks they’re clicking on under a layer (or layers) of obfuscation. Invisible page elements like buttons, translucent boxes, invisible frames, and more are some of the ways this attack can take place.

Despite being an old tool, clickjacking is becoming a worsening problem on the web. Let’s explore how clickjacking works, recent research on clickjacking, including the results of a study examining the top 250,000 Alexa-ranked websites, and other ways in which researchers and site owners are trying to better protect users from this type of attack.

Laying the groundwork

There are many targets of clickjacking. 

Cursors, cookies, files, even your social media likes. Traditionally, an awful lot of clickjacking relates to adverts and fraudulent money making. In the early days of online ad programs, certain keywords that brought a big cash return for clicks became popular targets for scammers. Where they couldn’t get people to unintentionally click on an ad, they’d try to automate the process instead.

Here’s an example from 2016, playing on the seemingly never-ending European cookie law messages on every website ever. Pop a legitimate ad, make it invisible, and overlay it across a Cookie pop-up. At that point, it’s unintentional advert time.

This is not to say clickjacking techniques are stagnant; here’s a good example of how these attacks are tough to deal with.

Clickjacking: back in fashion

There’s a lot of clickjack-related activity taking place at the moment, so researchers are publishing their works and helping others take steps to secure browsers.

One of those research pieces is called All your clicks belong to me: investigating click interception on the web, focusing on JavaScript-centric URL access. I was hoping the recording of the talk from USENIX Security Symposium would be available to link in this blog, but it’s not currently online yet—when it is, I’ll add it. The talk is all about building a way to observe possible clickjack activity on some of the most popular websites in the world and reporting back with the findings.

Researchers from a wide variety of locations and organisations pooled resources and came up with something called “Observer,” a customised version of Chromium, the open-source browser. With it, they can essentially see under the hood of web activity and tell at a glance the point of origin of URLs from every link.

As per the research paper, Observer focuses on three actions JavaScript code may perform in order to intercept a click:

  • Modifying existing links on a page
  • Creating new links on a page
  • Registering event handlers to HTML elements to “hook” a click

All such events are identified and tagged with a unique ID for whichever script kicked the process into life, alongside logging page navigation to accurately record where an intercepted click is trying to direct the victim.

Observer logs two states of each webpage tested: the page fully rendered up to a 45-second time limit, and then interaction data, where they essentially see what a site does when used. It also checks if user clicks update the original elements in any way.

Some of the specific techniques Observer looks for:

  • Visual deception tricks from third parties, whether considered to be malicious or accidental. This is broken down further into page elements which look as though they’re from the site, but are simply mimicking the content. A bogus navigation bar on a homepage is a good example of this. They also dig into the incredibly common technique of transparent overlays, a perennial favourite of clickjackers the world over.
  • Hyperlink interception. Third party scripts can overwrite the href attribute of an original website link and perform a clickjack. They detect this, as well as keeping an eye out for dubious third-party scripts performing this action on legitimate third-party scripts located on the website. Observer also checks for another common trick: large clickable elements on a page, where any interaction with the enclosed element is entirely under its control.
  • Event handler interception. Everything you do on a device is an event. Event handlers are routines which exist to deal with those events. As you can imagine, this is a great inroad for scammers to perform some clickjacking shenanigans. Observer looks for specific API calls and a few other things to determine if clickjacking is taking place. As with the large clickable element trick up above, it checks for large elements from third parties.

Study results

Observer crawled the Alexa top 250,000 websites from May 2018, ending up with valid data from 91.45 percent of the sites they checked accounting for timeouts and similar errors. From 228,614 websites, they ended up with 2,065,977 unique third-party navigation URLs corresponding to 427,659 unique domains, with an average of 9.04 third-party navigation URLs pointing to 1.87 domains.

Checking for the three main type of attack listed above, they found no fewer than 437 third-party scripts intercepting user clicks on 613 websites. Collectively, those sites receive about 43 million visitors daily. Additionally, a good slice of the sites were deliberately working with dubious scripts for the purpose of monetizing the stolen clicks, to the tune of 36 percent of interception URLs being related to online advertising.

The full paper is a fascinating read, and well worth digging through [PDF].

Plans for the future

Researchers point out that there’s room for improvement with their analysis—this is more of a “getting to know you” affair than a total deep dive. For example, with so many sites to look at, they only look at the main page for analysis. If there were nasties lurking on subpages, they wouldn’t have seen it.

They also point out that their scripted website interaction quite likely isn’t how actual flesh-and-blood people would use the websites. All the same, this is a phenomenal piece of work and a great building block for further studies.

What else is happening in clickjacking?

Outside of conference talks and research papers, there’s also word that a three-year-old suggestion for combating iFrame clickjacking has been revived and expanded for Chrome. Elsewhere, Facebook is suing app developers for click injection fraud.

As you can see from a casual check of Google/Yahoo news, clickjacking isn’t a topic perhaps covered as often as it should be. Nevertheless, it’s still a huge problem, generates massive profits for people up to no good, and deserves to hog some of the spotlight occasionally.

How can I avoid clickjacking?

This is an interesting one to ponder, as this isn’t just an end-user thing. Website owners need to do their bit, too, to ensure visitors are safe and sound on their travels [1], [2], [3]. As for the people sitting behind their keyboards, the advice is pretty similar to other security precautions.

Given how much of clickjacking is based around bogus advertising cash, consider what level of exposure to ads you’re comfortable with. Deploying a combination of adblockers and script control extensions, especially where JavaScript is concerned, will work wonders.

Those plugins could easily break the functionality of certain websites though, and that’s before we stop to consider that many sites won’t even give you access if ads are blocked entirely. It comes down, as it often does, to ad networks waging war on your desktop. How well you fare against the potential risks of clickjacking could well depend where exactly you plant your flag with regards advertiser access to your system.

Whatever you choose, we wish you safe surfing and a distinct lack of clickjacking. With any luck, we’ll see more research and solutions proposed to combat this problem in the near future.