Another great post from a guest writer, Vlad De Ramos
Regardless of the size of your business or data, clickjacking should be your concern. There’s no such thing as a minor issue when it comes to your security on the web.
The discovery of clickjacking dates back to 2008, when computer security experts, Robert Hansen and Jeremiah Grossman, first divulged it in the OWASP NYC AppSec Conference. At the time, the duo described it as another form of zero-day attack, referring to a software vulnerability that’s unknown to its vendor, and which hackers are quick to exploit.
Browser or network services are prone to clickjacking attacks, which target legitimate content on websites by layering it with malicious links or buttons without the knowledge of the website administrator and end users. Clicking on those links redirects users to phony websites, exposing the victims to the attacker’s malicious codes.
How Serious a Threat is Clickjacking?
In 2010, social media enterprise, Facebook, unknowingly became a platform where a number of clickjacking attacks were launched. The series of scams were made possible by enticing users to Like and Share posts that either tricked people into giving out their cell phone number for a survey or load a fan page onto their profile. Unknown to the unsuspecting victims, they were being charged on their phone bills and sharing con sites on their Facebook page.
Given the creativity of criminal hackers, they can use clickjacking on businesses.
1. Data can be illegally obtained or manipulated.
Research from CyberKeel, a Danish maritime security specialist firm, revealed in 2015 that 18 out of 20 cargo vessels are prone to clickjacking.
Through clickjacking, a shipper logs or registers into a fake website mirroring the legitimate carrier’s site. As the shipper provides personal information, the attacker is waiting to intercept that information and make fraudulent transactions on behalf of the shipper.
The possibilities on how the shipper information can be misused are endless. Hackers may use it to access shipment information, transport banned cargo, modify shipping documents, or steal cargoes altogether.
2. Sneaky money making schemes.
Criminal hackers can replicate legitimate emails to lure people into clicking a link. Once done, the user will be redirected to a landing page which contains a button hiding the attacker’s code. If the victim interacts with the malicious code, it will execute a command that will transfer money to the attacker.
This requires social engineering and a susceptible victim which makes clickjacking a medium risk, but the impact of the scheme is high because this technique can be used to execute other attacks such as keylogging and theft.
3. Spamming your entire network.
This vulnerability requires interaction as victims have to voluntarily interact with the malicious page and if a user fall for the technique, it can potentially expose confidential information or take control of the user’s account or computer which can lead to an unauthorized user spamming its network of friends or contacts with more malicious links or viruses from its account.
How Can Clickjacking Be Countered?
Back when clickjacking was first announced to the public, the first recourse was to encourage web users to use text-only browsers. This way hackers can’t embed their malicious code on graphic elements.
Although web developers are responsible and have the major role in designing websites and code that will keep your websites away from vulnerabilities, users also have a significant role in preventing malicious attacks:
Turn off or disable scripts and plugin content, which are the most common and usual clickjacking targets during browsing sessions.
Always make sure that your browser is updated to the latest version as it also offers improved security measures.
Pay attention to the browser’s warning notifications, saying there might be some element hidden in the content you were trying to access.
Keep your antivirus software up to date and secure as possible.
Be extra vigilant when web pages load too slowly, which may indicate suspicious activity within the site.
Coordinate with your IT specialists for tools and new developments.
Do not click any link in emails by unknown sources. Delete them immediately.
Clickjacking should not be overlooked. This vulnerability can be linked to other series of attacks and the impact of it will be even higher. There is no such thing as a minor issue when it comes to your security on the web. Regardless of the size of your business or data, you must always be prepared and ready to implement a disaster recovery plan.
About the Author: Vlad de Ramos has been in the IT industry for more than 22 years with focus on IT Management, Infrastructure Design and IT Security. Outside the field, he is also a professional business and life coach, a teacher and a change manager. Vlad has set his focus on IT security awareness in the Philippines and he is a certified information security professional, a certified ethical hacker and forensics investigator and a certified information systems auditor.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of TheDigitalAgeBlog.