Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Three Ways to Prevent Clickjacking

Clickjacking, a term coined by Jeremiah Grossman in 2008, is quickly becoming an extremely dangerous threat. Recent news coverage of enormous clickjacking schemes are bringing this type of threat to the forefront. The term clickjacking, for those not familiar, refers to a type of attack that’s designed to get individuals to unknowingly click on nefarious links or buttons. From there, hackers are able to garner confidential information, get users to take an action online they normally wouldn’t, or compromise their privacy.

Clickjacking, a term coined by Jeremiah Grossman in 2008, is quickly becoming an extremely dangerous threat. Recent news coverage of enormous clickjacking schemes are bringing this type of threat to the forefront. The term clickjacking, for those not familiar, refers to a type of attack that’s designed to get individuals to unknowingly click on nefarious links or buttons. From there, hackers are able to garner confidential information, get users to take an action online they normally wouldn’t, or compromise their privacy. For instance, a user might go to a website and click on a link to a video, but a malicious link is hidden underneath. One click by the user can cause them to force an unknowing action. It could trick them into purchasing a product, enabling a webcam, or making their private online information public, as examples. It’s extremely stealth and most businesses don’t know if their site visitors have been victimized until it’s too late.

The problem with this specific kind of attack is that unlike SQL injection, cross-site scripting, and cross-site request forgery, one form of clickjacking is based on a widely used functionality in web design: frames. This technique has been repeatedly used against Facebook users, and just two months ago the Department of Justice charged seven people in a massive clickjacking scheme. In that instance, the DOJ alleges the hacker network was able to exploit four million people in 100 countries. The DOJ estimates that the hacker network group was able to generate more than $14 million.

Here are four ways to prevent your business and employees from becoming part of a clickjacking scam:

Protect the Browser First

In order to prevent your organization from falling prey to this type of attack, you must start with the browser. The most likely scenario is that your users will become clickjacking victims during their normal Web activities. One way to reduce risk is to evaluate and install browser plugins such as NoScript and NotScript, which prompt users to allow javascript actions on sites they visit, as well as specify trusted domains. Some users can be put off by this, but most are becoming sensitive to the amount of cybercrime out there and appreciate the measures companies take to protect them.

This action is less time consuming than others and can greatly reduce risk from the onset.

Take the X-Frames Option

Most common browsers, including Microsoft IE, Google Chrome, Apple Safari and Firefox, support the HTTP Header X-FRAME-OPTIONS check, allowing the host to specify whether or not it is another page to frame it or not. You can take advantage of this functionality by specifying your webserver to send an X-FRAME-OPTIONS response header with the value “DENY.” You can read more on the X-FRAME-OPTIONS response header here.

Also, you add javascript in your source code to check and see if your site is framed. Many IT departments are large enough and experience enough turnover this this is piece of information can go unnoticed unless someone specifically asks about it.

Splurge on Web Application Firewalls

Web Application Firewalls (WAFs) will prevent someone from interjecting your site and inputting code. But organizations still put this in the “like to have” category instead of “need to have.” Why? Because they are expensive and take a lot of time to manage. They are well worth it. Recent data has shown that nearly 70 percent of all SMBs were hacked in some capacity in 2010. If you can’t build and maintain firewalls for your organization, by lack of sheer resources, consider outsourcing to the pros. It can take a huge burden off your plate, greatly reduce risks (of all kind) and may cost less than you think.

Evaluate Email Protection

Install and implement a strong email spam filter, and check it often. A clickjacking attack usually begins by tricking a user through email into visiting a malicious site. This is largely accomplished through forged or specially crafted emails that look completely authentic. By blocking illegitimate emails, you reduce a potential attack vector for clickjacking and a slew of other attacks as well. You’ll need to warn your employees that this measure has been taken so they regularly check their junk mail.

Some hacks steal data right from the company’s private networks, while others destroy the company from the outside in by way of victimizing site visitors. This is one of those hacks, and it can be extremely damaging to a company’s brand. A few simple steps can significantly lessen the likelihood that your visitors will become clickjacking victims.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.