What is Clickjacking?
Clickjacking takes place when a fraudster sets up an overlaid website interface and steals clicks on that fake website to then use it on a real site. Users come across these illegal overlays by chance and assume that after filling in a field, clicking a link, or entering their passwords, they’ll get access to what they see in front of them.

Instead, they were deceived by a scammer. Your click was “hijacked” and used to perform another action on another website. Her keyboard input was also “hijacked” in order to acquire her password and log into accounts without her knowledge. The uses for this type of fraudulent activity are endless.

In most cases, the stolen clicks or keystrokes are redirected to pages owned by another application or domain. This trick happens right in front of your eyes, without you even realizing it.

How do I spot a clickjacking scam?
For this trick to work, the scammer usually must trick the user into taking an action. To this end, scammers often come up with incredible offers on popular high-tech devices, free coupons, and the like. If something sounds too good to be true, it probably is and you should avoid any interaction with this website.

In many cases, a fraudulent website lacks the HTTP that is normally placed in front of a URL. HTTP headers or Strict Transport Security (HSTS) help secure communication between a company’s website and a user. If neither of these two indicators appears in the header of a website, it is advisable to leave the website.

Remember that a fake website can look deceptively real. Many of the logos, colors, fonts, and images that a scammer would need to convincingly mimic a website are readily available on the Internet. Just because something looks authentic doesn’t mean it’s real. When in doubt, close the website.

How can you avoid clickjacking scams?
The best way to protect yourself from clickjacking scams is to avoid these websites entirely. Always update your web browsers with the latest versions available. Newer versions warn you about suspicious websites.

The same goes for the security of your home computers: keep them up to date with reliable software to prevent your personal information from falling victim to fraudsters.

Always log out of websites that you use frequently, such as email, online banking, Facebook, and Amazon. Scammers know that most users do not log out of these websites regularly and take advantage of this negligence in developing their scams. If you leave these accounts open, scammers can “like” things on your Facebook page and even shop online under your name.

Companies should also take steps to protect themselves and their users from clickjacking scams. The easiest way to do this is with “X-Frame-Options” – an HTTP header that decides whether a browser is authorized to display a page in a, or. In this way, companies can ensure that their content is not embedded in a scammer’s fake website.

For older browsers there is the possibility to prevent the output of the page with the help of a JavaScript frame killer. However, it should be noted that the frame killer can also be bypassed if it is displayed too early.

<style> html{display : none ; } </style>

<script>

if ( self == top ) {

document.documentElement.style.display = ‘block’ ;

}  else  {

top.location = self.location ;

}

</script>

However, all users should be vigilant about their online security and avoid situations online that do not convey an authentic impression. The more users get used to safe online behavior, the safer everyone becomes in an online community.

Der Beitrag Clickjacking erschien zuerst auf e2 Security.