Clickjacking tricks a user into performing a particular action on a target website where they assume that they are clicking on one element, but instead, they would be clicking a webpage element that is invisible or disguised as another element. It can adversely affect the user’s system by downloading unwanted malware, redirecting to malicious websites, falling victims while sharing sensitive information, transferring money, or purchasing a product through e-commerce sites. There are two types of clickjacking attacks; likejacking, and cursorjacking where likejacking is used to manipulate the Facebook “Like” button, and cursorjacking is part of User Interface (UI) redressing, where it changes the position of the cursor from one point to the other.
Although it is a simple method to attack, Clickjacking can launch a range of other attacks, starting from activities such as installing malware or stealing credentials, to less harmful ones, including improving click statistics on unrelated websites, increasing ad profits on websites, getting Facebook likes, or raising YouTube video views. Clickjacking can also be an initial step of an advanced persistent threat (APT), which is extremely harmful to organizations and institutions that must safeguard intellectual property or private and sensitive data.
An effective representation of a clickjacking attack would be when an attacker replicates a banking site with iframes enabled to redirect the get request sent through the invisible elements present in the site. As the user clicks, the worst that could happen in a banking scenario is user funds being transferred to the attacker’s account. The attackers impersonate each element in such a way that the users are redirected to frames that display the successful completion of the user action. Such as in a case where a clickjacking attack targeted the settings page for the Adobe Flash plugin where the attackers tricked the user into changing Flash’s security settings, allowing Flash animations to utilize computer resources such as microphone and camera by loading the flash website into an invisible iframe.