Academic researchers have identified ‘clickjacking,’ a means of hijacking a user’s mouse, as a prominent and growing cybersecurity issue.
After collecting data on 250,000 websites, the researchers uncovered clickjacking apparatuses on 613 of them. While the number isn’t staggering, these sites accrue a combined total of more than 43 million visits each day.
One reason for the rise of clickjacking is the improvement in software that can detect bot-generated clicks. To work around the software, hackers have moved to a new means of generating false clicks.
There are many forms of clickjacking. Here is a short list of common varieties:
- Click interception by hyperlinks: This occurs when hackers use malware-laced scripts embedded in links on legitimate web pages in order to redirect the user to their own sites.
- Click interception by event handlers: This occurs when hackers infiltrate a website and attack a user’s cursor, redirecting it towards a malicious link, ad, or other element of a webpage.
- Click interception by visual deception: This occurs when aspects of a legitimate site are modified by hackers, and then clicked on by unsuspecting users.
Of the 613 webpages that harvested clicks, 36% of the clickjacking apparatuses were designed for the sole purpose of generating ad revenue.
The issue is expected to proliferate within the next few years. Preventing clickjacking may hinge on implementing new, technical safeguards, including framebusting, or framebreaking, using x-Frame Options, and implementing a Content-Security Policy with frame ancestors.
It may also require browser providers to present users with information pertaining to who created a given link on a page. If the creator is not affiliated with the company, the user will be able to identify the link as malicious.
For more on the academic research study, visit ZDNet.
For more on the technical side of preventing clickjacking, visit Security Boulevard.