A New Clickjack Protection

Clickjacking has been a huge problem because it takes advantage of security problems inherent in the Internet’s basic structure. It’s really difficult to tell whether a link or video is pulling a fast one on you. For a long time, Internet users could rely on NoScript, an app that worked with Firefox. It’s a pretty useful app, but it’s hard to rely on a single source of protection. Plus, the problem with having a single form of protection is that you never create competition that encourages NoScript to improve its service.

Now that competition has started.

Zscaler is a new widget that blocks clickjacked objects from unleashing their attacks on you. Unlike NoScript, which only works with Firefox, Zscaler works with Firefox, Chrome, and Safari.

It’s uncertain whether Zscaler actually works better than NoScript.

Actually, whether it’s better is only part of the point.What’s really important is that NoScript now has some competition. It also means that Internet users now have two options to protect them from clickjackers.

There’s just one potential problem with this. The more tools we have to protect ourselves, the more open we are to social manipulation. We begin to think that the apps and widgets will protect us no matter what. But they won’t. Clickjackers are always one step away from figuring out how to bypass even the latest security. That means each person has to pay attention to what actions they take online.Even with all the security tools, it’s still up to you to make smart, informed decision when you’re online.

 

Server-side Clickjack Protection

If you’ve been worrying about clickjacking attacks on the websites you visit often, you might be surprised to learn that site’s have the ability to impede these attacks. The fact of the matter is some websites just don’t focus that much on security strategies that would really keep their visitors safe. That isn’t to say that website administrators and developers could prevent all clickjacking attacks, but they could certainly make it harder for hackers to ruin your day.

Quite frankly, social networking sites (especially Facebook) are some of the worst offenders. To some extent, that’s understandable. Consider, for instance, how many people visit Facebook every day. That makes the site a target for clickjackers that want to reach a large audience quickly. Plus, Facebook wants to make it easy for people to share information  with each other. Any kind of block could negatively affect service.

When it comes down to it, though, more websites could use server-side clickjacking protection. It’s actually pretty easy.

The most common technique is called a framekiller. It’s a piece of JavaScript that prevents a site from loading frames from different sources. Unfortunately, it’s not always reliable. It’s especially easy for fairly advanced hacking techniques to trick Internet Explorer into loading the clickjacked link as asked.

Should websites have more responsibility when it comes to protecting visitors. That depends. A site like Facebook should definitely lead the security development to stop clickjacking. They’re big enough and have enough resources to take on the  problem. Plus, it’s in their best interest to offer more safety to their members. Since Facebook doesn’t have a true competitor, though, the company might not feel too motivated in this area.

How Many Facebook Videos Have Been Clickjacked?

If you’re on Facebook, then you have to know that  some of the videos you see posted on the walls of friends are clickjacked. Clickjacked videos typically have invisible frames hovering over them, either over the hole video or just over the play button. When you push play on the video, you may or may not actually get to watch it. What you actually do is unleash a tactic called UI redressing. More than likely, clickjacked videos just repost themselves on your wall without your permission.

That’s kind of scary, especially considering that some of the clickjacked videos can steal personal information from your computer that allows hackers to steal your identity.

What’s even more scary is that research now shows that 15 percent of videos on Facebook are clickjackers. That’s right. 15 percent. That means that for every ten videos you see, more than one of them has been clickjacked. Click on ten random videos and you’re going to get clickjacked at least once.

Let’s face it, Facebook hasn’t done much to stop this kind of behavior. They pretty much let anyone post anything without discretion (unless its porn, I guess. They have a thing against porn).

Yet again, that means you need to protect yourself by avoiding shady videos. If you see a video that doesn’t look like your friend actually posted it,then don’t click it. If your uncle who’s totally into football posts a video about lady gaga, then you can feel pretty certain that it’s a clickjack. There’s just something not right with it, so stay away.

Man in Wheelchair Falls to Death LOL

Fans of the Darwin Awards might find it entertaining to read about the dumbest possible ways that people die, but there’s a big difference between shaking your head at a written account of someone’s death and watching a video of it.

Recently, the moral fiber of Facebook users was tested by a post that reads

Man in wheelchair falls down the elevator shaft *SHOCKING VIDEO*
[LINK deleted]
This Video is really shocking. a man in a wheelchair is falling down the elevator shaft.

If you followed the link, then you found a fake Facebook page with what looked like an embedded video. Sorry, you’re not going to get to watch the gruesome video. In fact, such a video probably doesn’t even exist.

What you get, instead, is a clickjack. A lot of people have commented (and I kind of agree) that anyone who fell for this horrible scam got what they deserved.

If you use Firefox with the NoScript application, then you got a warning about the UI redressing attempt, as clickjacking is technically called. If you don’t use this security app, though, you were prompted to take an online survey. After taking the survey, you didn’t even get to watch the video. How lame is that?

Many clickjackeres use online surveys to earn money. By tricking people into visiting survey websites, they know that a small number will actually answer the questions. For each person that fills out the survey, the clickjackers earn a small amount of money that quickly adds up.

 

Clickjacking Affects Businesses Too

If you use the Internet, then you should know something about clickjacking. Simply put, you should know that it makes your browser perform an action that you didn’t (intentionally) execute. That can cause various problems, such as posting information on your Facbeook page, buying items on Amazon, or stealing your private information.

So, you know that there are some risks. If you’re smart, then you try to avoid suspicious videos and links. You might even use a widget or app that helps you detect potentially clickjacked sites.

But you’re just one person. Most of the time, you can protect yourself, but you know that things slip through every now and then. Chances are that you don’t even know when it happens. You just go about your day without knowing anything about it at all.

It’s a different story, though, when you are a business. Businesses have to worry about hundreds or thousands of employees clicking objects on the Internet. That means they are at a higher risk of contamination. It’s no wonder that so many businesses focus on security strategies that involve keeping a close eye on every employee.

You have to worry about things like identity theft. Businesses, however, have to worry about viruses stealing information from their clients. A business’s network often contains the credit card information and addresses of thousands of clients, not to mention the information that they use to confirm your identity when customers contact them.

This is a big concern for businesses, and that probably includes your employer. If your work doesn’t let you browse the Internet freely, there’s probably a good reason for that.

 

New Low: Clickjackers Capitalize on Death of British Pilot

Last weekend a British pilot died after his plane crashed during a Red Arrow display at the Bournemouth Air Festival. He had family and friends and people who loved him. As far as clickjackers were concerned, though, he mostly had earning potential.

Not long after the crash was reported, a Facebook message started circulating that promised to show video of the accident. Regardless of how compassionate most people are (thousands joined a Facebook group showing support for the pilot’s family), they also have a tendency to stare at car crashes and watch movies like Jackass, where people get hurt in supposedly hilarious ways. They just can’t not look at something spectacular, even when the event was tragic.

Clicking on the video link, however, doesn’t take you to a YouTube video. Clicking on the link does, however, share the message with all of your Facebook pals.

In the typical way, this clickjack gets spread quickly through the Internet. Even if only two people click on the message posted by your account, and then two people click on the messages posted by them, and so on, you quickly get thousands of people falling for the scam. The numbers increase exponentially, so they really get moving once you hit the triple digits.

It’s stunningly heartless for someone to use this tragic event to earn money. I’m sure that some people, however, think that the clickjack victims have gotten what they deserve. They should have followed the message in the first place. I think that’s a bit too harsh. Following the message might mean that you’re gullible, but it doesn’t mean that you are a bad person. At least not any worse than the thousands of other people who wanted to see the crash that they had heard so much about.

Getting Clickjacked by Lady Gaga

It doesn’t matter whether you love Lady Gaga or hate her, she certainly has an odd charisma that attracts people. That charisma has helped her sell millions of copies of her danceable songs. (Personally, I like the meaning behind her songs much more than I like the music, but I think I’m just a little too old to dig it. If she’d been around in the 80s, though, I probably would have loved her.)

As soon as someone exposes the public to that level of charisma, though, someone else will try to make money from it.

In 2011, that means someone is going to use your fame to clickjack a bunch of people on Facebook.

Over the past couple of days, a message has been spreading through Facebook that claims Lady Gaga was found bead in a hotel room. The message carries a video link that you supposedly click on to watch news footage about her death. As an awesome and disturbing side note, the video has a message that reads “This is the most awful day in the US history.” Forget the strange choice of words (“the US history”?). Who would actually believe that this is a legitimate news broadcast. Come on, it’s obviously not the most awful fay in US history… What about the day that John Lennon was killed!

Despite the ridiculous nature of the post, a lot of people have clicked on it. And they got clickjacked, of course. Oh, gullible people so unwilling to read the small print.

A Spider Under The Skin, or a Clickjack on Your Nerves?

Would you like to see video of a large spider living underneath someone’s skin. Personally, I’d pass. Still, I can understand that a lot of people would want to see that video. After all, look at how many people go to see horror movies and throw their necks out of whack as they stare at car accidents.

A morbid sense of curiosity, however, can lead to bad things when you’re on Facebook.

A recent clickjacking attack used the spider video as bait to convince Facebook users (I’m guessing mostly boys and young men) to follow a link. Unfortunately for them, they didn’t get to see a gnarly video. They just got clickjacked, which, in this case, means that the link instructed the Facebook account to post the message on the user’s wall so that her or (again, more than likely) his friends would see it and think “oh man, awesome, I totally want to see some of that nastiness!”

There were numerous messages floating around with this clickjacked link attached. Even a bilingual one in Spanish and English! Some of the examples include

Una Araña debajo de la piel. A spider under your skin!
http://www.youtube.com
Él dice que era una araña bajo la piel, ¿qué dices?.He says there was a spider under the skin what do you say?

Amazing! Spider is Growing Under Woman Skin
scaryspideomg.tumblr.com
WARNING: Sh0ck1ng Footage!

Amazing how a spider can go under your skin This spider is brutal..
stillfb.in
WTF – There is a spider inside the skin of this girl, extremely painful !

Here’s a new rule to live by — If it sounds too rad to be true, then it’s probably a clickjack.

Clickjack Takes Advantage of Tragedy in Oslo

If you are the lowest of the low, then you spend your time thinking of ways to make money off of the suffering of other people. The way that you manage to earn your disgusting living depends on what type of skills you have. If you are a great motivator or actor, then you might make money by setting up a fake charity that supposedly benefits the families of victims in the recent Oslo tragedy (in case you don’t know, some wingnut shot a whole bunch of people. It was an instance of terrorism that many people didn’t see coming because of the ridiculous blinders that they wear. The shooter wasn’t Muslim. He was a white Christian. It took journalists more than a day to recognize that they were wrong about the man’s religion and ethnicity, but I digress in a serious way…)

If you have a bit tech experience, then you create clickjacked links to exploit the memories of those killed in Oslo. Perhaps you start a Facebook post that asks for donations to your fake charity, or maybe you hijack a link so that it directs caring people to some stupid survey site that has agreed to pay you money whenever you send someone their way. Or even better yet, maybe you promise video of the shooting, and when people follow the link, they buy items from an online retailer without ever agreeing to such a purchase.

All of these things have happened. If you were behind them, then I hope you never enjoy a single cent that you made from the pain of these people. You’re a cheat. You don’t even have the intelligence to con someone. You just have the rote ability to make an annoying link that benefits you and only you.

Worms Take Clickjacking to a New Level on Twitter

I’ve never been a big fan of Twitter. I could never get beyond that tiny character limit. I just ramble too much, so it doesn’t work for me.

That aside, I think it’s a cool service and I understand why so many people use it.

What disappoints me, though, is how many people seem to think that it is a completely safe community that allows them to follow links with impunity. As if the people on Twitter (which, if recent polls are correct, is everyone in the world but me and a handful of people in China) were all good natured and never thought about how they might use this increasingly popular service to screw a bunch of people over.

Yeah, I hate to bust your bubble, but popular places in the virtual world are just like popular places in the real world: they attract criminals.

A group of researchers say that they have created a worm virus for Twitter that kind of acts like a clickjacking attack on steroids… AND crack. If that sounds like an overstatement, then check this quote from Lance James, one of the researchers at Secure Science who said that

You can couple an attack with our code and it would just tear the crap out of Twitter

Just lovely. Kind of makes you wonder why these researchers spend their time making computer viruses that could tear the crap out of anything. It’s like those biologists who intentionally make viruses that don’t exist yet.

What’s the point?

The point is defense. If security experts can stay ahead of clickjackers, then they have a much better chance of stopping nefarious technologies as soon as they are released. Still, it’s kind of a frightening though.