You’ve Been Clickjacked!
So you have the latest in DDoS and WAF protection. You’ve ensured your company is protected against SQL injections and cross-site scripting, but then an employee clicks on a pop-up to win a free iPad and your network has suddenly been infiltrated with malicious code. What happened?
In analyzing the 2015 cyber trends, we have found that cyber attackers can effectively defeat IP-based defense systems by launching application-level attacks that originate from real – but dynamic – IP addresses. One of the most common variations of dynamic IP attacks is clickjacking. People may have come to believe that clickjacking is an old-school tactic made up of spreading spam via social networks, but it has evolved into sophisticated new forms, making traditional defense paradigms insufficient.
Let’s understand how these new clickjacking forms work, discover the implications to businesses, and explore challenges and best practices in defending against them.
What is Clickjacking?
Also known as UI redressing, clickjacking is when a user thinks they are interacting safely with a legitimate web page, but in fact, there is a malicious script running behind the image or text the user interacts with, aiming to infiltrate their computer and steal sensitive data.
Attackers use transparent iframes and malicious JavaScripts to overlay the real website, so the user clicks the attack interface and interacts with the attacker program. For example, the user thinks they are entering to win a free iPad, when in fact they are transferring cash from their bank to the attacker, as Troy Hunt beautifully illustrates.
Moreover, hackers can easily turn off CSRF token protection, to influence browser behavior – like repositioning the cursor, placing fragmented frames and more. It’s even easier when a site runs on an open source application (PHP, Drupal, WordPress etc.)
Another form of clickjacking, which was very popular 3-4 years ago in social networks, is to embed traps in the news feed that look like an exclusive piece of content, leading users to unwanted webpages where the attacker code is running and sometimes even asks for personal details. This led information security officers to underestimate the risks that clickjacking poses—as though it wasn’t a security issue but rather a reputational issue.
[You might also like: 5 Cyber Attack Developments Worth Your Attention]
Three New Developments in Clickjacking
Today clickjacking is all over the place. Its purposes vary from spreading spam, installing bots, injecting a virus or spyware to stealing data and more. While the click traps method became less popular and less efficient as it became more common, the use of transparent layers has evolved in sophistication and now resides in attackers’ ammo boxes to be used in conjunction with other attack vectors simultaneously.
Here are common cases:
-
2nd phase of social engineering
It is already common knowledge that many attacks, campaigns and APTs begin with profiling the target, carefully-selectedindividuals who are the access point to the organization. After gathering all available personally identifiable information comes the next stage of the malware injections. One of the ways to do it is clickjacking.
-
Leveraging cloud services
Many cloud providers offer a free tier for developers and users who want to run small-sized servers and applications on cloud infrastructures. This ease-of-use has a hefty price tag: insufficient security validations that enable hackers to abuse the cloud services and generate massive quantities of fraudulent accounts. It’s fertile ground for hackers that continually seek access to more servers and services for the purpose of launching malicious activities. The dynamic variety of IPs is exactly what a clickjacker needs for an evasive campaign.
-
Attacks on mobile devices
During the 2016 RSA conference, security company Skycure revealed that 65% of Android devices are clickjacking-vulnerable and that modern mobile malware can evade detection by using scanners that rely on signatures and common analytics. In today’s BYOD world, this is yet another access point to the corporate network.
How Does Using Dynamic IPs Perplex Security Teams?
Dynamic IP attacks target Layer 7, the application layer. Using real IP addresses, they establish a three-way TCP handshake and successfully bypass cookie and JavaScript challenges. These attacks are highly disruptive and difficult, if not impossible, for IP-based defense systems to distinguish between legitimate and malicious visitors. To overcome traditional defenses, attackers commonly use headless browser software, such as PhantomJS or a Selenium WebDriver. They also employ multiple evasion tactics. To avoid triggering size- or rate-limiting thresholds, they split the load between dozens of IP addresses and constantly add new ones. Human-like “behaviors” are incorporated—starting at different landing pages and mimicking human-like timings and patterns of movement. They can be especially difficult to detect when attacks are low rate and low volume and are spread over time and across a large pool of changing IP addresses.
Clickjacking logs are well assimilated among those of traffic generated by real users, making it an extremely hard task to compare and make a distinction between the two.
Why are Businesses More Vulnerable?
As mentioned, most security teams are concerned with XSS and SQLi and tune controls against them. They often don’t prepare for clickjacking. The concern is even larger as this type of malware – whatever it may be – can be later spread across the company network, finally reaching its servers. It only takes one employee login into your network to become susceptible to a clickjack – and then they’re in. This way perpetrators can gain control of workstations by installing bots, steal confidential data, spy on business conduct, ask for ransom, and more.
Since clickjacking is hard to track and considered low risk, not all businesses have the know-how and the resources to prevent clickjacks, so they remain vulnerable. They should consider updating the policy of employees and users accessing corporate devices, network or data, and patching when required.
Thwarting Clickjacking Attempts
Clickjacking protection would involve preventing other web pages from framing your website. Countermeasures can be implemented either on the page code itself or on the browser.
There are two main ways to prevent clickjacking (source: www.OWASP.org):
- Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
- Employing defensive code in the UI to ensure that the current frame is the most top level window