Posted tagged ‘clickjacking’

IE Only Offers Some Clickjacking Protection

September 23, 2011

It’s a given that you want to keep yourself safe from clickjacking scams. They’ve been known to cause all kinds of trouble. Not only do they post potentially embarrassing information to your social networking profile, but they can install viruses on your computer that will steal personal information that lets hackers commit identity theft.

You’d expect all Internet browsers to take this threat pretty seriously. After all, who would want to use a browser that exposes you to such a threat?

Unfortunately, though, some browsers are better than others at protecting you from clickjacking threats.

IE 8, for instance, looks for a tag that website designers use to prevent content from loading in frames. By getting rid of the frames, you solve a large part of the clickjacking problem. IE 8, however, relies on the website, not the user. That’s not very helpful for most people. If individual users had the option to say “don’t use any frames,” then they could rely on near-universal protection. When you leave it up to website developers, though, you’ve only offered help for those that don’t need it. If a website chooses to use the no frames tag, then they’re obviously not trying to clickjack visitors. That leaves things wide open for clickjackers that create sites specifically to attract victims.

This is the kind of protection that could actually cause more harm than good.

If nothing else, Internet Explorer should alert users when they have reached a page that does not protect them. Then the user can decide whether he or she wants to proceed. It would also encourage more web designers to include the tags when they build new sites.

Clickjacking Affects Businesses Too

September 4, 2011

If you use the Internet, then you should know something about clickjacking. Simply put, you should know that it makes your browser perform an action that you didn’t (intentionally) execute. That can cause various problems, such as posting information on your Facbeook page, buying items on Amazon, or stealing your private information.

So, you know that there are some risks. If you’re smart, then you try to avoid suspicious videos and links. You might even use a widget or app that helps you detect potentially clickjacked sites.

But you’re just one person. Most of the time, you can protect yourself, but you know that things slip through every now and then. Chances are that you don’t even know when it happens. You just go about your day without knowing anything about it at all.

It’s a different story, though, when you are a business. Businesses have to worry about hundreds or thousands of employees clicking objects on the Internet. That means they are at a higher risk of contamination. It’s no wonder that so many businesses focus on security strategies that involve keeping a close eye on every employee.

You have to worry about things like identity theft. Businesses, however, have to worry about viruses stealing information from their clients. A business’s network often contains the credit card information and addresses of thousands of clients, not to mention the information that they use to confirm your identity when customers contact them.

This is a big concern for businesses, and that probably includes your employer. If your work doesn’t let you browse the Internet freely, there’s probably a good reason for that.

 

Why Do Clickjackers Do It?

August 29, 2011

Clickjacking requires pretty rudimentary programming skills. You can take a couple of college classes and learn all of the skills that you need to implement a fairly successful clickjacking campaign. Just because something is easy, though, doesn’t mean that someone will do it. There has to be some kind of reward, right?

Not surprisingly, the big reward for clickjackers is money.

Symantec Security Response did some research showing that clickjackers can earn as much as $40,000. That’s a lot of money for such a small amount of work.

There are, of course, various ways that clickjackers can make money.

One of the most popular ways is to trick Internet users into filling out online surveys. Survey companies are often willing to pay websites for sending information their way. Each survey doesn’t earn much money at all. A successful clickjacking campaign, however, could potential trick thousands of people into filling out surveys. The money from those surveys adds up quickly, allowing the clickjacker to earn a good income.

Other clickjacking attacks focus on stealing information from Internet users. These attacks typically install spyware on your computer that allows a hacker to gather information about your activities. That makes it possible for the hacker to access your email account to send out spam. Like online surveys, each piece of spam earns a small amount of money that quickly adds up.

Hackers can also used clickjacked links to install spyware that will capture your personal information. This can allow the hacker to steal your identity, open a credit card in your name, or access your bank accounts.

New Low: Clickjackers Capitalize on Death of British Pilot

August 23, 2011

Last weekend a British pilot died after his plane crashed during a Red Arrow display at the Bournemouth Air Festival. He had family and friends and people who loved him. As far as clickjackers were concerned, though, he mostly had earning potential.

Not long after the crash was reported, a Facebook message started circulating that promised to show video of the accident. Regardless of how compassionate most people are (thousands joined a Facebook group showing support for the pilot’s family), they also have a tendency to stare at car crashes and watch movies like Jackass, where people get hurt in supposedly hilarious ways. They just can’t not look at something spectacular, even when the event was tragic.

Clicking on the video link, however, doesn’t take you to a YouTube video. Clicking on the link does, however, share the message with all of your Facebook pals.

In the typical way, this clickjack gets spread quickly through the Internet. Even if only two people click on the message posted by your account, and then two people click on the messages posted by them, and so on, you quickly get thousands of people falling for the scam. The numbers increase exponentially, so they really get moving once you hit the triple digits.

It’s stunningly heartless for someone to use this tragic event to earn money. I’m sure that some people, however, think that the clickjack victims have gotten what they deserve. They should have followed the message in the first place. I think that’s a bit too harsh. Following the message might mean that you’re gullible, but it doesn’t mean that you are a bad person. At least not any worse than the thousands of other people who wanted to see the crash that they had heard so much about.

See Twilight for Free

August 19, 2011

Fans of Twilight can get a bit… well, fanatical. Give them the opportunity to attend a pre-screening for free, and they’ll do just about anything.

Anything, including fall for a Facebook clickjacking scam.

This specific clickjacking scam spreads through Facebook posts. To win the free tickets, you have to complete a survey. Finish that survey, however, and you’re taken to another one. You might think that you’ll eventually reach those tickets, but you never will. It’s a ceaseless journey that only ends when you get frustrated enough to quit.

By that time, though, it’s probably too late for your friends. That’s because you have shared information about the free tickets with everyone you’re connected to on Facebook. What? You don’t remember that post? That’s because the clickjack did it for you. Now all of your friends can fall victim to the hoax.

To make matters even worse, this scam focuses on young people who, as we all known, don’t always exercise the best judgment when exploring the net. Even parents that keep a close eye on their kids’ Internet usage might not spot this problem. It’s one thing for your kid to access a pornographic or disturbing website from the living room, but it’s quite another to fill out a simple survey. Few parents would even know to wonder whether it could have harmful effects.

Kids might think that they know more about the Internet than their parents. And maybe they do. But they don’t know more than their parents about the ways that scam artists prey on kids. That’s why parents have to make sure their kids know how to stay safe online.

Hate Clickjackers? Blame Yourself

August 1, 2011

Rhodri Marsden, in his article posted on The Independent yesterday, covered some of the ways that today’s culture is influenced by mass media outlets, including television, radio, Twitter, and Facebook. We’ve all become news junkies. But we’re not satisfied to feast on legitimate news. We want more. We even want more after we’ve been thrown chucks of Charlie Sheen and other celebrities, whose lives have nothing to do with our own.

What do we do when we need dessert after gorging ourselves on everything from CNN to News of the Weird, we turn to the least likely sources of legitimate content.

That’s why, according to Marsden (and I think he’s really on to something here), we’re all to blame for clickjacking. Hate clickjeckers? Yeah, who doesn’t? But pointing the finger at them without acknowledging that last week you actually follow a link that promised video of “YOU WON’T BELIEVE WHAT THE JONAS BROTHERS DID THIS TIME!”

Call yourself a sucker or a dupe if you want, but don’t expect Marsden to cut you any slack.

When people use social networking sites, they need to understand what they are doing. Otherwise, we have a system that resembles a middle school lunch room. If that’s the best that we can do, maybe human beings should just walk away from computer networks altogether and admit that we have defeated ourselves.

Each time you follow one of those ridiculous links, you bolster the hopes and coffers of clickjackers. That means more clickjacking will happen. Yes, the actual clickjacker is the guy pulling the trigger, but you gave him money to buy the bullets. That makes you at lease somewhat responsible.

 

Windows Continues to Improve Security Features And Miss Several Customer Service Needs

July 13, 2011

Windows updates… I’ll admit that I hate them. They always seem to come at the least convenient times and they seem to take forever. As someone unlucky enough to have Windows 7 on my personal laptop, I also understand the great frustration that of regular updates that don’t ever seem to click with the operating system. You spend five minutes waiting to download the update and then you wait so long for the update to configure itself that you say “screw it” and take your chances with a manual boot.

Yes, I understand the frustration.

On the other hand, I must admit that Windows has done a really good job of creating updates that address issues that affect today’s users most. Just this week, they published an update that corrected a Bluetooth radio vulnerability. Previous updates have done wonders for security issues such as worms, clickjacking, phishing, malvertisements, and many of the other problems that plague today’s most active Internet users.

In other words, Microsoft knows what problems exist out there in cyberspace, and they want to find solutions to those problems.

That’s terrific. I applaud them. I wish that more software developers would do the same.

No matter how much I respect their commitment to improved security performance, though, I can’t get over how slow and annoying the updates are. And the configurations!!! Just forget it. An update that doesn’t configure properly on the first try isn’t going to work because half of your customers are going to by pass the update and feel a sense of dread every time they see another update icon at the bottom of their screens.