Clickjacking: What is it and How You Can Protect Yourself?
Lately, there has been a lot on the news about this type of computer attack called “click-jacking” where, through the use of web pages, hackers are cheating people out of millions of dollars by setting them up with fraudulent purchases as well as data mining their personal information, such as credit card numbers. Unfortunately, this type of attack is extremely hard to trace because of the way it is built to make it seem as if the person who was attacked indeed intended the action taken or the information shared. Thankfully, there have finally been some breakthroughs in finding and arresting those who participate in this awful activity. On November 9th 2011, the FBI shut down a ring of click-jackers who collectively stole over 14 million dollars and affected well over 4 million computers individually.
How does it work?
Click jacking works by hackers creating a button on a web page that does something other than what it is saying it will do. For example, the button could be a simple submit button. However, instead of submitting the information for that newsletter you wanted, you just ordered a 4-year subscription to playboy magazine. It is the art of overlaying an invisible page over the page that you see and collecting information which is then used to defraud you. Some of the tricks that have been used are:
Another way that it works is when hackers are paid for how many clicks on an advertisement that is found on their web pages, or how many times a particular ad is shown. They use a form of malware called “DnsChanger” which depends on subverted servers and a user becomes redirected through infected networks, putting money in the hackers’ pockets and opening up your computer for serious infection.
I have a Mac (Linux, UNIX or other OS). I’m not at risk, am I?
Yes, you are at risk. Because this kind of attack uses the browser as its carrier, anyone can be at risk no matter what operating system you run. Also, since the software that gets installed into your computer from clicking on an infected link or button prevents you from getting to anti-virus sites that would remove it, most users who are not paying close attention would never know that they were infected.
What can I do to protect myself?
There are a few things that you can do to keep yourself safe. First of all, making certain that you are keeping an eye open to the web pages that you get directed to when you click on any links. Make certain that they are within the domain that you expect them to be! For example, if you go to an iTunes website to buy some music, it should read something like store.itunes.com. If you have been click-jacked, it will read something similar enough that you may not notice it unless you read it carefully. So please, keep your eyes open! Also, there are add-ons for your browsers that you can use that, while taking some functionality away, will keep you safe. For Firefox there is NoScript which blocks all potentially dangerous scripts. If you want to see a You Tube video though, you will need to tell the add-on to let you through. It can be tedious, but it is worth it.
One other option that is a bit on the extreme end is to use a text only browser like Lynx. It is exactly what it sounds like it is, a browser that allows nothing but text through. This is a very extreme action and one that is sure to make less of your internet browsing experience, but if you are that worried it is a good idea. Just make sure that the instructions are read through carefully; many users have reported that the program is difficult to get up and running and the developer admits to not having the time to offer technical support.
What are my options for server side protection?
You can protect your website users from click-jacking attacks by using a bit of Java code called a Frame Killer. What this does is stops any of the triggered content from being showed within a frame, which prevents click-jackers from making their move. For those who wish to implement it, a good cross-browser code set is:
<script type=”text/javascript”>
If (top != self) top.location.replace(location);
</script>
By using this, most click-jacking attempts will be thwarted as well as several other types of attacks that rely on frames being used within a website. While this can be reliable in almost all circumstances, it still pays to be as cautious as possible and to urge your website users to install things like NoScript and to use practical sense when browsing the Internet. Such words of caution will help both your readers and yourself by keeping attackers from your site.
What do I do if I think I’ve been affected?
The FBI website has an entire taskforce that is on just this issue. The project is called “Operation Ghost Click” and has materials on their site to help you determine if you have been infected. If after doing this simple test where you put your IP address into their searching box and it turns up that you have been affected, you will be given further instructions on how to file a report and assistance on gaining control over your IP again.
After you have made your report to the FBI, please bring your computer to a computer professional who you trust to remove such malware from your system. Because of the fairly new and complicated strategy that has been taken concerning this attack, users should not take their computer safety lightly. Have a professional help you.
It once again all comes down to being safe on the internet. Keeping an eye to your browser address window and not clicking on things that your gut may be telling you are not right in some way are things that you should follow through. Also, keeping good anti-virus software up to date on your system will help you to remain away from sites that are infected.
How does it work?
Click jacking works by hackers creating a button on a web page that does something other than what it is saying it will do. For example, the button could be a simple submit button. However, instead of submitting the information for that newsletter you wanted, you just ordered a 4-year subscription to playboy magazine. It is the art of overlaying an invisible page over the page that you see and collecting information which is then used to defraud you. Some of the tricks that have been used are:
- Tricking users to enable their web camera and audio through a flash pop-up (Adobe has fixed this);
- Making users social networking profile information public if it was previously private;
- Forcing someone to follow someone else on twitter. This is usually someone who posts bad pornography and other things found repulsive;
- Forced link sharing on FaceBook and other link sharing networks.
Another way that it works is when hackers are paid for how many clicks on an advertisement that is found on their web pages, or how many times a particular ad is shown. They use a form of malware called “DnsChanger” which depends on subverted servers and a user becomes redirected through infected networks, putting money in the hackers’ pockets and opening up your computer for serious infection.
I have a Mac (Linux, UNIX or other OS). I’m not at risk, am I?
Yes, you are at risk. Because this kind of attack uses the browser as its carrier, anyone can be at risk no matter what operating system you run. Also, since the software that gets installed into your computer from clicking on an infected link or button prevents you from getting to anti-virus sites that would remove it, most users who are not paying close attention would never know that they were infected.
What can I do to protect myself?
There are a few things that you can do to keep yourself safe. First of all, making certain that you are keeping an eye open to the web pages that you get directed to when you click on any links. Make certain that they are within the domain that you expect them to be! For example, if you go to an iTunes website to buy some music, it should read something like store.itunes.com. If you have been click-jacked, it will read something similar enough that you may not notice it unless you read it carefully. So please, keep your eyes open! Also, there are add-ons for your browsers that you can use that, while taking some functionality away, will keep you safe. For Firefox there is NoScript which blocks all potentially dangerous scripts. If you want to see a You Tube video though, you will need to tell the add-on to let you through. It can be tedious, but it is worth it.
One other option that is a bit on the extreme end is to use a text only browser like Lynx. It is exactly what it sounds like it is, a browser that allows nothing but text through. This is a very extreme action and one that is sure to make less of your internet browsing experience, but if you are that worried it is a good idea. Just make sure that the instructions are read through carefully; many users have reported that the program is difficult to get up and running and the developer admits to not having the time to offer technical support.
What are my options for server side protection?
You can protect your website users from click-jacking attacks by using a bit of Java code called a Frame Killer. What this does is stops any of the triggered content from being showed within a frame, which prevents click-jackers from making their move. For those who wish to implement it, a good cross-browser code set is:
<script type=”text/javascript”>
If (top != self) top.location.replace(location);
</script>
By using this, most click-jacking attempts will be thwarted as well as several other types of attacks that rely on frames being used within a website. While this can be reliable in almost all circumstances, it still pays to be as cautious as possible and to urge your website users to install things like NoScript and to use practical sense when browsing the Internet. Such words of caution will help both your readers and yourself by keeping attackers from your site.
What do I do if I think I’ve been affected?
The FBI website has an entire taskforce that is on just this issue. The project is called “Operation Ghost Click” and has materials on their site to help you determine if you have been infected. If after doing this simple test where you put your IP address into their searching box and it turns up that you have been affected, you will be given further instructions on how to file a report and assistance on gaining control over your IP again.
After you have made your report to the FBI, please bring your computer to a computer professional who you trust to remove such malware from your system. Because of the fairly new and complicated strategy that has been taken concerning this attack, users should not take their computer safety lightly. Have a professional help you.
It once again all comes down to being safe on the internet. Keeping an eye to your browser address window and not clicking on things that your gut may be telling you are not right in some way are things that you should follow through. Also, keeping good anti-virus software up to date on your system will help you to remain away from sites that are infected.