Posted tagged ‘clickjack’

A New Clickjack Protection

September 20, 2011

Clickjacking has been a huge problem because it takes advantage of security problems inherent in the Internet’s basic structure. It’s really difficult to tell whether a link or video is pulling a fast one on you. For a long time, Internet users could rely on NoScript, an app that worked with Firefox. It’s a pretty useful app, but it’s hard to rely on a single source of protection. Plus, the problem with having a single form of protection is that you never create competition that encourages NoScript to improve its service.

Now that competition has started.

Zscaler is a new widget that blocks clickjacked objects from unleashing their attacks on you. Unlike NoScript, which only works with Firefox, Zscaler works with Firefox, Chrome, and Safari.

It’s uncertain whether Zscaler actually works better than NoScript.

Actually, whether it’s better is only part of the point.What’s really important is that NoScript now has some competition. It also means that Internet users now have two options to protect them from clickjackers.

There’s just one potential problem with this. The more tools we have to protect ourselves, the more open we are to social manipulation. We begin to think that the apps and widgets will protect us no matter what. But they won’t. Clickjackers are always one step away from figuring out how to bypass even the latest security. That means each person has to pay attention to what actions they take online.Even with all the security tools, it’s still up to you to make smart, informed decision when you’re online.



Server-side Clickjack Protection

September 11, 2011

If you’ve been worrying about clickjacking attacks on the websites you visit often, you might be surprised to learn that site’s have the ability to impede these attacks. The fact of the matter is some websites just don’t focus that much on security strategies that would really keep their visitors safe. That isn’t to say that website administrators and developers could prevent all clickjacking attacks, but they could certainly make it harder for hackers to ruin your day.

Quite frankly, social networking sites (especially Facebook) are some of the worst offenders. To some extent, that’s understandable. Consider, for instance, how many people visit Facebook every day. That makes the site a target for clickjackers that want to reach a large audience quickly. Plus, Facebook wants to make it easy for people to share information  with each other. Any kind of block could negatively affect service.

When it comes down to it, though, more websites could use server-side clickjacking protection. It’s actually pretty easy.

The most common technique is called a framekiller. It’s a piece of JavaScript that prevents a site from loading frames from different sources. Unfortunately, it’s not always reliable. It’s especially easy for fairly advanced hacking techniques to trick Internet Explorer into loading the clickjacked link as asked.

Should websites have more responsibility when it comes to protecting visitors. That depends. A site like Facebook should definitely lead the security development to stop clickjacking. They’re big enough and have enough resources to take on the  problem. Plus, it’s in their best interest to offer more safety to their members. Since Facebook doesn’t have a true competitor, though, the company might not feel too motivated in this area.

How Many Facebook Videos Have Been Clickjacked?

September 10, 2011

If you’re on Facebook, then you have to know that  some of the videos you see posted on the walls of friends are clickjacked. Clickjacked videos typically have invisible frames hovering over them, either over the hole video or just over the play button. When you push play on the video, you may or may not actually get to watch it. What you actually do is unleash a tactic called UI redressing. More than likely, clickjacked videos just repost themselves on your wall without your permission.

That’s kind of scary, especially considering that some of the clickjacked videos can steal personal information from your computer that allows hackers to steal your identity.

What’s even more scary is that research now shows that 15 percent of videos on Facebook are clickjackers. That’s right. 15 percent. That means that for every ten videos you see, more than one of them has been clickjacked. Click on ten random videos and you’re going to get clickjacked at least once.

Let’s face it, Facebook hasn’t done much to stop this kind of behavior. They pretty much let anyone post anything without discretion (unless its porn, I guess. They have a thing against porn).

Yet again, that means you need to protect yourself by avoiding shady videos. If you see a video that doesn’t look like your friend actually posted it,then don’t click it. If your uncle who’s totally into football posts a video about lady gaga, then you can feel pretty certain that it’s a clickjack. There’s just something not right with it, so stay away.

Man in Wheelchair Falls to Death LOL

September 8, 2011

Fans of the Darwin Awards might find it entertaining to read about the dumbest possible ways that people die, but there’s a big difference between shaking your head at a written account of someone’s death and watching a video of it.

Recently, the moral fiber of Facebook users was tested by a post that reads

Man in wheelchair falls down the elevator shaft *SHOCKING VIDEO*
[LINK deleted]
This Video is really shocking. a man in a wheelchair is falling down the elevator shaft.

If you followed the link, then you found a fake Facebook page with what looked like an embedded video. Sorry, you’re not going to get to watch the gruesome video. In fact, such a video probably doesn’t even exist.

What you get, instead, is a clickjack. A lot of people have commented (and I kind of agree) that anyone who fell for this horrible scam got what they deserved.

If you use Firefox with the NoScript application, then you got a warning about the UI redressing attempt, as clickjacking is technically called. If you don’t use this security app, though, you were prompted to take an online survey. After taking the survey, you didn’t even get to watch the video. How lame is that?

Many clickjackeres use online surveys to earn money. By tricking people into visiting survey websites, they know that a small number will actually answer the questions. For each person that fills out the survey, the clickjackers earn a small amount of money that quickly adds up.


Clickjacking Affects Businesses Too

September 4, 2011

If you use the Internet, then you should know something about clickjacking. Simply put, you should know that it makes your browser perform an action that you didn’t (intentionally) execute. That can cause various problems, such as posting information on your Facbeook page, buying items on Amazon, or stealing your private information.

So, you know that there are some risks. If you’re smart, then you try to avoid suspicious videos and links. You might even use a widget or app that helps you detect potentially clickjacked sites.

But you’re just one person. Most of the time, you can protect yourself, but you know that things slip through every now and then. Chances are that you don’t even know when it happens. You just go about your day without knowing anything about it at all.

It’s a different story, though, when you are a business. Businesses have to worry about hundreds or thousands of employees clicking objects on the Internet. That means they are at a higher risk of contamination. It’s no wonder that so many businesses focus on security strategies that involve keeping a close eye on every employee.

You have to worry about things like identity theft. Businesses, however, have to worry about viruses stealing information from their clients. A business’s network often contains the credit card information and addresses of thousands of clients, not to mention the information that they use to confirm your identity when customers contact them.

This is a big concern for businesses, and that probably includes your employer. If your work doesn’t let you browse the Internet freely, there’s probably a good reason for that.


New Low: Clickjackers Capitalize on Death of British Pilot

August 23, 2011

Last weekend a British pilot died after his plane crashed during a Red Arrow display at the Bournemouth Air Festival. He had family and friends and people who loved him. As far as clickjackers were concerned, though, he mostly had earning potential.

Not long after the crash was reported, a Facebook message started circulating that promised to show video of the accident. Regardless of how compassionate most people are (thousands joined a Facebook group showing support for the pilot’s family), they also have a tendency to stare at car crashes and watch movies like Jackass, where people get hurt in supposedly hilarious ways. They just can’t not look at something spectacular, even when the event was tragic.

Clicking on the video link, however, doesn’t take you to a YouTube video. Clicking on the link does, however, share the message with all of your Facebook pals.

In the typical way, this clickjack gets spread quickly through the Internet. Even if only two people click on the message posted by your account, and then two people click on the messages posted by them, and so on, you quickly get thousands of people falling for the scam. The numbers increase exponentially, so they really get moving once you hit the triple digits.

It’s stunningly heartless for someone to use this tragic event to earn money. I’m sure that some people, however, think that the clickjack victims have gotten what they deserve. They should have followed the message in the first place. I think that’s a bit too harsh. Following the message might mean that you’re gullible, but it doesn’t mean that you are a bad person. At least not any worse than the thousands of other people who wanted to see the crash that they had heard so much about.

Getting Clickjacked by Lady Gaga

August 6, 2011

It doesn’t matter whether you love Lady Gaga or hate her, she certainly has an odd charisma that attracts people. That charisma has helped her sell millions of copies of her danceable songs. (Personally, I like the meaning behind her songs much more than I like the music, but I think I’m just a little too old to dig it. If she’d been around in the 80s, though, I probably would have loved her.)

As soon as someone exposes the public to that level of charisma, though, someone else will try to make money from it.

In 2011, that means someone is going to use your fame to clickjack a bunch of people on Facebook.

Over the past couple of days, a message has been spreading through Facebook that claims Lady Gaga was found bead in a hotel room. The message carries a video link that you supposedly click on to watch news footage about her death. As an awesome and disturbing side note, the video has a message that reads “This is the most awful day in the US history.” Forget the strange choice of words (“the US history”?). Who would actually believe that this is a legitimate news broadcast. Come on, it’s obviously not the most awful fay in US history… What about the day that John Lennon was killed!

Despite the ridiculous nature of the post, a lot of people have clicked on it. And they got clickjacked, of course. Oh, gullible people so unwilling to read the small print.