Everyone who uses the internet now knows how important cybersecurity is. This is true whether you have a business website, a personal blog or are even just browsing for goods or information online. While common threats like malware or phishing may be well known, clickjacking is another online security danger that you or your business may not know so much about. Although it was first uncovered more than 10 years ago, it has not yet been wiped out even though browser manufacturers continue to do all they can to combat it.
With this in mind, it is vital to know what clickjacking is and what sort of danger it poses.
What is clickjacking?
In simple terms, this kind of malicious online activity sees unsafe browser extensions and damaging third-party scripts amend the URL in a link without you knowing. Once you click on the link, you are actually sent to somewhere else on the web entirely where viruses could infect your device. The problem for users is that the actual link you originally click on may be totally genuine or on a reputable website that you have gone onto willingly. As the name suggests, the original link has been hijacked by cybercriminals for their own gains when clicked on.
You may even end up on a site that looks like the one in the real link but is in fact a mock-up created by online criminals. This could see you enter personal or financial details in all innocence which are then stolen. The other danger with clickjacking is that it could prompt the installation of malicious code on your device to run in the background moving forward, all without you ever knowing.
It is not confined to smaller or unpopular websites
Do not make the mistake of thinking that this threat is limited to niche or obscure websites. Research from Microsoft along with Chinese, South Korean and US universities found 3 separate clickjacking techniques in the top 250,000 sites ranked on Alexa. The sites affected were found to receive 43 million visits each day! They found that the overall goal of the cybercriminals involved was to fool people into clicking on dodgy adverts, hijack affiliate programs, install malware and set up cookies on people’s devices.
Disguises and cookie stuffing
As the above shows, the reason clickjacking is so hard to spot and deal with is the secrecy it uses to fool people. Many times, the malicious scripts are hidden in web page content that is dressed up as genuine, first-party elements. The criminals involved can even place almost invisible malicious code on top of real first-party content on a website. Third-party code and scripts can even be used to hijack user clicks to make money from them via fraudulent affiliate marketing activity. Known as cookie stuffing, this technique came to light in 2013 originally when an eBay partner was prosecuted for it.
What can you do about it?
Of course, the real problem for any business is how they can stop it happening on their own website or blog. Although browsers like Chrome are working to combat clickjacking, it may for now be a case of taking all third-party code off your website. The initial model of publishers adding third-party scripts to a site in order to make money through advertising may not be the most prudent now. Not only is clickjacking stealing money and people from the site owners but it will also damage their overall reputation, even though they may be unaware of what is happening.
Get advice from the experts
Making sure your business website or personal blog is protected when online is key. Here at catalyst2, we are an award-winning UK managed web hosting provider who takes online security seriously. For more information about our services or to find out more, call today on 0800 107 7979.