Clickjacking is alive and well, hijacking browsers that visit hundreds of popular websites, according to research released this week. A paper published by researchers at the Chinese University of Hong Kong, Microsoft Research, Seoul National University, Purdue University, and Pennsylvania State University, found that many of the world's most popular sites are still fooling visitors into following deceptive links to unexpected destinations.
Clickjacking is a well-established technique in which third-party scripts or browser extensions can hijack users' clicks, redirecting them to alternate locations. Online crooks can use them to download malware to a victim's computer or to commit advertising fraud, redirecting clicks to online ads and earning commission.
Advertising click fraudsters used to use online bots to automatically click online ads at scale, but ad networks got wise to this practice. Instead, attackers have recently begun redirecting legitimate page clicks from real users, the paper says.
The researchers developed their own browser analysis system, called Observer, and used it to monitor JavaScript-based URL access. They used Observer to analyze the top 250,000 websites on traffic-analysis site Alexa.
Observer found 613 websites using 437 third-party scripts that intercepted user clicks. That may not sound like many, but the websites collectively received 43 million daily visits, according to the paper.
These scripts tricked users into following links by disguising them as legitimate site content. Observer spotted 3,251 clickjacking destination URLs, with 36% related to online advertising.
Attackers used three devious techniques to intercept user clicks. One involved intercepting hyperlinks by tampering with tags or embedding hyperlinks in huge page elements that covered at least 75% of the browser window. The second used event handlers such as navigation event listeners, which would open the malicious URL when the user clicked anything on a page.
The final technique was visual deception, which either mimicked legitimate page content such as Facebook Like buttons or put a transparent overlay element over legitimate content. Attackers could use either approach to send hijack a user's click on a button or other page element.