Threat Intelligence Blog

Posted October 19, 2017

Clickjacking, also known as a “UI Redress Attack,” is a tricky method of getting a user to click on something other than the intended item. Threat actors implement this method by placing buttons or links in front of legitimate items within your view of a web page. In some circumstances, this approach can be used to capture keystrokes as well. Why is this a problem?

As we’ve discussed in previous blog posts, clickjacking is a common method of hijacking clicks from users visiting your web site. As you can imagine, this can be a very dangerous event if you’re running an online banking site, or any site that contains desirable amounts of private information like healthcare, insurance, education, investments, utilities, and so on. Clickjacking has also been used to highjack the retweet and like buttons on social media platforms to rapidly propagate content and audience reach artificially.

So how can we protect our networks, customers, and employees from being victimized by a clickjacking attack?  There are a few options to consider:

  1. Server administrators can implement the “[frame-ancestors directive]” to inhibit the website from being rendered within a <frame> or <iframe>. Not all browsers support this directive yet.
  2. You can also use “X-Frame-Options” Response Headers to control how your site is rendered in a <frame> or <iframe>. The settings allow for content to be rendered within frames from itself, a list of approved URLs, or denied entirely.
  3. It may also be wise to add layers of interaction to important components of your website. Add fields that require more data or require captcha. Anything that can force the threat actor to adjust or rebuild attacks may discourage them from attacking at all.
  4. Another quick method of protecting your content would be to use a script to break any attempt at framing content. Here’s one found on CodeMagi.com. It works for legacy browsers too!

Within the document <HEAD> tag, place the following content:

<style id=”antiClickjack”>body{display:none !important;}</style>

<script type=”text/javascript”>
if (self === top) {
var antiClickjack = document.getElementById(“antiClickjack”);
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}

</script>

As with most threats, there is no silver bullet to protecting ourselves. We can choose to rapidly adapt to threats and build effective defenses as the threats arise. Having your employees participate in cyber safety awareness training is always a good start, so they can become more aware of common cyber threats and know how to defend against them. At least with clickjacking, there are some steps you can take to protect your content and your customers.

https://www.owasp.org/index.php/Clickjacking

https://www.owasp.org/index.php/Clickjacking

https://www.codemagi.com/blog/post/194

http://www.e2college.com/blogs/web_security/clickjacking_attack_and_defense.html

 

Additional Posts

Weekly Phishing Activity: October 23, 2017

The following data offers a snapshot into the weekly trends of the top industries being targeted by ...

How to Thwart a Rainbow Table Attack

We all know that a strong password is a necessary first step for good cyber hygiene. However, in ...