Clickjacking is an invisible online attack where cybercriminals hide malicious buttons or links beneath legitimate website content. You may think you are clicking a harmless button, but in reality, you could be unknowingly giving away personal information or changing security settings without realising it.
How does it work?
Clickjacking may occur using more than just one technique. For example:
- Cybercriminals may overlay invisible elements on top of trusted web content like for example buttons to play a video. These elements are strategically placed over deceptive elements, such as fake buttons or links.
- Cybercriminals may overlay only selected controls from the malicious page on to the legitimate page.
When a user clicks on what appears to be a harmless element, they are actually interacting with the hidden element, triggering malicious actions without their knowledge such as transferring of money.
How can it affect you?
Clickjacking can affect individuals and businesses alike. Potential consequences include:
- Your personal or company data could be stolen
- Unauthorised transactions may occur
- Malware could be installed on your device
- Your accounts might be compromised
How can you stay safe?
Staying safe against such attacks always requires that users remain vigilant when interacting online. This entails:
- Avoid engaging with untrusted websites . Untrusted websites are those that do not have adequate security embedded and hence may be compromised. Other common telltale signs of an untrusted website is one that displays numerous unusual add-ons, pops and links.
- Double-check the website’s legitimacy and reputation by using methods such as hovering over the URL and confirming the common security indicators such as the HTTPS or the padlock icon.
- Avoid clicking on suspicious links and only download applications or files from trusted sources such as the official websites. Suspicious links are URLS that may contain unusual or misspelled domain names, language errors, random number or symbols.
- Be cautious of pop-ups and too-good-to-be-true offers as these methods may be used to lure users into clicking malicious content.
For Website Owners and Developers
Defending against clickjacking requires website owners and developers to implement mechanisms that block or control framing so that attackers cannot embed the page. A few ways include:
- Server-side techniques such as configuring X-Frame-Options or the Content Security Policy (frame-ancestors) HTTP headers
- The use of client side clickjacking prevention tools such as frame busting scripts that prevent websites from function inside a frame and the use of anti-clickjacking browser extensions.
- Testing of website pages for vulnerabilities to clickjacking attacks.
Stay informed on this evolving threat and always practice safe online habits. By doing so you are reducing the risk of falling victim to such deceptive attacks.