Clickjacking attack | how do hackers steal your banking information?

Source: Wikipedia

Simply put, clickjacking is a type of cyber attack which is essentially veiled in the sense that you are tricked into clicking on a webpage element that is not what it displays and is, in fact, another disguised HTML element. Therefore, ignoring the real threat, you click and something dangerous for your PC or smartphone enters it like malware that can even steal your banking information or sensitive personal data.

Here are the types of Clickjacking:

There are some specific types of clickjacking that have been given their own name. One of them is like jackingwhich consists in disguising a Facebook “Like” button. Facebook users click that Like button thinking it’s something they’d actually like, but instead, “Like” is saved to another Facebook page, users being totally oblivious to the truth. Similarly, this happened in the case of a Twitter page as well, with the supposed Like ending up retweeting the location of the malicious web link, causing it to reach more people.

Another form of clickjacking is Cursorjackingwhich works the same way, except this time the position of the cursor on your screen is not where you see it.

How can hackers use this “trick”?

Let’s give an example of how hackers use this cyber trick. They will first create a page that is most likely to grab the target’s attention, such as a free gift/free iPhone or a trip somewhere. And there will be an invisible iframe with another page with a clickable button on the screen that is for another function, like “transfer funds” or “activate” a function. The free giveaway button is lined up just above the “enable permission” button for something and when the user clicks the button thinking it’s a giveaway button, it’s actually for something else.

Clickjacking has already been used to change the security settings of shine player, which allowed a Flash animation to take control of a certain PC’s microphone and camera.

How is social engineering used in clickjacking?

Cybercriminals use social engineering threats to disguise themselves as material that does not appear to be overtly malicious. Some of the most common social engineering techniques used in recent clickjacking attacks are:

  • Exclusive clips. These are threats that claim to have photos or videos of exclusive content. Users who want to know more about this “exclusive content” end up being tricked into clicking on the malicious link.
  • Latest World News Updates. Clickjacking attacks also take advantage of the latest news to disguise themselves. Updates on important events can attract users who want to be updated in real time.
  • Latest Entertainment News, Gossip. Entertainment news and anything related to showbiz controversies and intrigues (including pranks) may be used to mislead users.
  • Promotions, contests. Users are attracted to any good contest or promotion. However, in their desire to win, they may end up falling victim to a clickjacking attack.

How do cybercriminals set up the attack?

Similar to KOOBFACE attacks, people behind clickjacking attacks create fake accounts on social networking sites.

Here is an overview of the steps clickjacking attackers need to take to execute the threat:

1. Set up dummy accounts in social media like blogging sites.

2. Create posts containing malicious scripts. These posts also include images or videos that use social engineering techniques.

3. Create a Facebook page with links to malicious blog entries.

What happens once users click on these posts?

Once users click on these wall posts, they are taken to a page that gives further instructions for clicking on another link. However, this only leads the frustrated user to another web page. There are also instances where users only need to click once to trigger the threat.

Here are two common forms of clickjacking that have been noted on Facebook.

Wall Posts redirects to multiple pages

Users may encounter a message on their Facebook feeds about a supposed celebrity video, browser extension, or contest. Instead of seeing the content promised in the description, they are redirected to several other pages until they land on a web page that asks for personal information such as cell phone numbers and email addresses.

Cybercriminals can then use this information to spam more users and for other malicious activities.

How could users avoid this threat?

There are many ways for users to get this threat. Here are a few simple steps that will do the trick:

  1. Beware of links displayed on your Facebook feeds itself.
  2. Limit your social media contacts to people you know personally.
  3. Study the privacy settings of the social networking site of your choice. Make sure your connection to these sites is secure (https://) as it can help block malicious posts or sites.
  4. If possible, make your profile on Facebookprivate. Apart from protecting your privacy, it also reduces the chances of encountering malicious users online.
  5. For the latest news and updates on world events, promotions, etc., consider bookmarking credible news sites instead of relying solely on social media.
  6. Proactively report or tag suspicious posts seen on social media sites.

As an independent media, Kashmiri Patriot depends on donations from readers and philanthropically-minded people (who by law must be Indian citizens) for the bulk of its revenue.

Donate and help pay for our journalism.

Media freedom matters. Your support will ensure independent media.