How clickjacking works and how to defend yourself

Clickjacking is a fraudulent technique that redirects the user's click to a different object than the one he actually clicked

Clickjacking does not always involve malware or viruses. We are used to think that every scam perpetrated on the Net has to do with phishing campaigns or viruses that steal users' access credentials. But this is not always the case. Clickjacking, for example, is a fraudulent practice that does not use any kind of malware to scam users.

As you can guess from the name, clickjacking has to do with the online activity of users, especially when they click on links on Internet pages. Clickjacking is nothing but a fraudulent technique that redirects the user's click to a different page than the one indicated on the link. This type of technique is mainly used to direct user traffic to banner ads, so that the scammer earns money from people's clicks. It's a pretty sneaky practice that exploits vulnerabilities in JavaScript and IFrame.

What is clickjacking and how does it work

Clickjacking was first discovered in 2008 by Robert Hansen and Jeremiah Grossman and seemed to have disappeared after a peak in 2009 and 2010. But the fraudulent technique has known a second youth with the explosion of social networks, especially Facebook. Some users use clikcjacking to fraudulently increase the "likes" of a page. The person does not physically put the "like" on the page, but it is "extorted" through clickjacking. The hackers infect the pages of some websites running specific javascript, to divert traffic to Facebook pages and increase the number of likes. In some cases it is not even necessary to click on a link, you just need to hover your mouse pointer over a hidden object on the web page.

What you risk with clickjacking

Compared to malware, clickjacking is much less dangerous for the user. You don't risk having your Facebook or online banking credentials stolen. And besides, clickjacking is impossible to implement on e-commerce sites. The only real danger is of being put on some spam list and finding your inbox completely full. In addition, some fraudsters use clickjacking to direct traffic to banner ads: the risk for users is to see pop-up ads opening while they are surfing the Internet.

Clickjacking uses flaws in javascript and IFrame so no browser is safe.

How to defend against clickjacking

Clickjacking cannot be fought with normal antivirus software and in most cases the user is not at fault. If we notice that while we are browsing a web page and websites open that we have not clicked on, we should immediately close the page and log out of all social accounts. Also, to see what clickjacking comes from, you need to check the activity log and see if there is anything abnormal. Finally, to prevent clickjacking you can install extensions on your browser that block scripts used by scammers to implement the fraudulent technique. One of the best is NoScript.