For the first time clickjacking attracted the attention of information security experts more than ten years ago, and since that time it continues to be very popular with cybercriminals. Now scripts for clickjacking detected on many sites.
Despite the constant improvement of protection mechanisms against this threat by browser developers, it is not possible to destroy it.A team of researchers, consisting of Microsoft experts and scientists from China, South Korea and the American University, analyzed 250 thousand sites from the Alexa list.
“Because of the critical role of clicks in the Web ecosystem, attackers aim to intercept genuine user clicks to either send malicious commands to another application on behalf of the user or fabricate realistic ad click traffic”, — report specialists.
Researchers have identified three techniques currently used by cybercriminals to intercept clicks.
The list of clickjacking techniques includes intercepting hyperlinks (using third-party scripts that interact with the original URLs, or huge links that cover most of the page), adding navigation events to the page element, as well as various visual techniques (for example, copying original element or use of transparent layers).
Read also: Android Banker Cerberus Uses Pedometer to Avoid Detection
In a study called “All Your Clicks Belong to Me: Investigating Click Interception on the Web“, experts created the Observer framework for monitoring click interception. Due to the dynamic, eventful nature of web applications, it is not possible to evaluate scripts for clickjacking just by looking at the application code, and therefore the Observer tool was developed.
On 613 of the 250 thousand sites studied, researchers found 437 third-party scripts to intercept clicks. The total audience of these sites is 43 million users per day.
Third-party scripts trick victims into clicking on site elements that either look like original content or are invisible and placed on top of the original content. Some scripts intercept clicks in order to monetize, the researchers noted.
So, 36% of 3251 unique URLs for intercepting clicks are associated with advertising – the main way to monetize the Web. In addition to monetization, cybercriminals use clickjacking to infect user systems with malware.
“Besides monetization, we find that click interception can lead a user to visit malicious contents. In particular, we were directed to some fake anti-virus (AV) software and drive-by download pages when we manually examined some of the click interception URLs”, — said researchers.
Team of researchers considers that their work sheds light on an emerging client side threat, and highlights the need to restrict the privilege of third-party JavaScript code.