Posted tagged ‘website’

Server-side Clickjack Protection

September 11, 2011

If you’ve been worrying about clickjacking attacks on the websites you visit often, you might be surprised to learn that site’s have the ability to impede these attacks. The fact of the matter is some websites just don’t focus that much on security strategies that would really keep their visitors safe. That isn’t to say that website administrators and developers could prevent all clickjacking attacks, but they could certainly make it harder for hackers to ruin your day.

Quite frankly, social networking sites (especially Facebook) are some of the worst offenders. To some extent, that’s understandable. Consider, for instance, how many people visit Facebook every day. That makes the site a target for clickjackers that want to reach a large audience quickly. Plus, Facebook wants to make it easy for people to share informationĀ  with each other. Any kind of block could negatively affect service.

When it comes down to it, though, more websites could use server-side clickjacking protection. It’s actually pretty easy.

The most common technique is called a framekiller. It’s a piece of JavaScript that prevents a site from loading frames from different sources. Unfortunately, it’s not always reliable. It’s especially easy for fairly advanced hacking techniques to trick Internet Explorer into loading the clickjacked link as asked.

Should websites have more responsibility when it comes to protecting visitors. That depends. A site like Facebook should definitely lead the security development to stop clickjacking. They’re big enough and have enough resources to take on theĀ  problem. Plus, it’s in their best interest to offer more safety to their members. Since Facebook doesn’t have a true competitor, though, the company might not feel too motivated in this area.


Why Would Someone Use Clickjacking?

May 24, 2011

Most people these days seem to have a basic grasp of what clickjacking is, but they don’t really understand why anyone would want to use clickjacking to sucker Internet users into silly things such as “liking” a page on Facebook. It’s one thing when hackers use viruses to steal information from someone’s computer. That’s a dirty, unethical, illegal thing to do, but at least you can understand the motivation behind it. With clickjacking, though, a lot of people just wonder “why.”

It’s simple in most cases. Hackers can make money through clickjacking by forcing large numbers of people to visit websites or promote Facebook pages. There are a couple of strategies that they can use. Some of them get paid for every hit that a website gets through their link. It’s similar to many online marketing techniques, except even shadier.

They can also get paid for general promotion of a website. For instance, if someone owns a company that promotes websites, then they can use clickjacking to show a client how effective their strategies are. It doesn’t hurt the clickjacking victim nearly as much as it robs the client.

Hackers can also make money by getting people to take online quizzes. That’s why you see so many quizzes popping up when you follow likejacked links on Facebook.

Although clickjacking hasn’t caused many significant problems, it is a troublesome waste of resources that makes the online community suspicious of everything that they encounter. Unfortunately, that’s the best way to stay safe online. Remain suspicious and you can make it harder for clickjacking hackers to make money from their pathetic scams.