Thursday, November 24, 2011

Clickjacking and Internet Safety

The fast pace of development of new internet technology is aimed at improving user online experiences. To make online communication complete with audio and video, microphones and webcams are always available. Web browsers make use of every new feature that is being rolled out to them, either for free or for a price. There are even social networking sites where people share their thoughts, including their likes and dislikes.

Sadly, online criminals are always looking for ways on how they can use these new tools for their benefit. Legitimate programs and products are now being attacked by these criminals in the guise of similar beneficial tools. There was a newly launched subtle but disastrous attack called “clickjacking”, or, in technical terms, known as user interface (UI) redressing. It basically tricks and lures users to initiate some unwanted actions.

Facebook’s Like and Share features have been used in this attack. These two legitimate buttons are made transparent and placed over what appear to be genuine pages. The pages seem “real” so that users are tricked into clicking those buttons. The users do not realize that they were actually “liking” rogue pages or posting spam on their walls. Another tactic that criminals use is invisible iframes where users are tricked into clicking some buttons to enable access to their own webcams and microphones. An incident of this sort called the “webcam spying attack” happened sometime in 2006. Now this one seems more severe because it could produce destructive results.

Clickjacking was first discovered by a Stanford University computer science student. His was a confirmation of a similar experience by a nameless researcher in earlier years. The method is a combination of legitimate web programming features and social engineering. The Stanford student found out that Adobe’s Flash Player is susceptible to such attacks. He notified the company, which promptly responded by fixing the fault that would allow webcam spying.

Image: basketman / FreeDigitalPhotos.net

No comments: