Clickjacking, where links on a website redirect unknowing users to spam, advertising or malware, has been around for decades. However, new tactics that defy the best mitigation efforts of browsers has led to it affecting millions of internet users browsing the web’s top sites, researchers found in a new study.
In crawling data from the Alexa top 250,000 websites, researchers discovered 437 third-party scripts that intercepted user clicks on 613 websites – which in total receive around 43 million visits on a daily basis. Making matters worse, click interception links are using new techniques – such as making the links larger – that are making them harder to avoid.
The researchers, who collaborated from the Chinese University of Hong Kong, Microsoft Research, Seoul National University and Pennsylvania State University, published their findings in a paper, “All Your Clicks Belong to Me: Investigating Click Interception on the Web,” which they are discussing Thursday at the USENIX Security conference.
Emerging Click Interception Tactics
The practice of clickjacking (a.k.a. click interception) – and discussions about how to stop it – have been ongoing for years.
Websites that are impacted by clickjacking have third-party scripts inserted into them. These scripts look like an innocent-looking link (such as a Facebook button) – but secretly have code for a different application embedded in an iframe tag or other component. So, when a victim clicks on the link, they are “hijacked” (hence the name clickjacked) and brought to a malicious or spam page.
After developing a Chromium browser-based analysis framework, which they dubbed “Observer,” the researchers were able to collect and analyze click-related behaviors for the Alexa top 250,000 websites.
The clickjacking observed was utilized to send victims to malicious pages, such as fake anti-virus (AV) software and drive-by download pages; but researchers said that it also is being utilized for monetization, such as ad fraud or spam for scams.
In addition to classic link hijacking as described above, bad actors have now also turned to visual deception to intercept user clicks, which include links posing as website banners or download buttons.
In addition, bad actors are now relying on new tricks to better lure users to clicking on their scripts. For instance, researchers detected 86 third-party scripts utilizing huge hyperlinks which would stick out on the page, and send users to an online gambling game site when clicked. The bigger font makes the hyperlinks stick out and give them a higher chance of being clicked on, researchers say.
Other third-party scripts would selectively intercept user clicks to avoid detection, essentially limiting the rate at which they intercept the clicks.
“Although third-party scripts can deceive a user with different tricks, the effectiveness can vary dramatically depending on their implementation and the end user’s technical background,” said researchers.
In a new method, researchers found that attackers were also using clickjacking to send victims to an advertisement to fabricate realistic ad clicks – to get a commission when a user clicks an advertisement.
Interestingly, while many third-party scripts modified first-party hyperlinks to intercept user clicks, researchers also discovered that some websites collude with third-party scripts to hijack user clicks for monetization.
The research found that more than 36 percent of the 3,251 unique click interception URLs were related to online advertising.
“Clicks are also critical in one pervasive application—online display advertising, which powers billions of websites on the internet,” researchers said. “The publisher websites earn a commission when a user clicks an advertisement they embed from an online advertising network (ad network in short).”
For years, online browsers have worked to decrease click interception issues – but they clearly aren’t enough, researchers said.
For instance, just last week Facebook announced that it is filing lawsuits over two app developers who utilized click injection techniques to abuse its advertising platform. The lawsuit is one of the first of its kind against this practice, said Facebook. Other browsers, such as Chrome, have packed in mitigations for automatic redirection since 2017. In addition, systems like EvilSeed or Revolver have been developed to detect malicious web pages using content or code similarities.
However, several of these mitigation tactics do not address newer clickjacking tricks and techniques. For instance, “Chrome still cannot detect and prevent other possible ways to intercept user clicks, including but not limited to links modified by third-party scripts, third-party contents disguised as first-party contents, and transparent overlays,” researchers said.
Researchers for their part advised that websites could put a “warning” signal in the status bar when a user hovers their mouse above them, showing that the link contains third-party script. In addition, browsers could enforce integrity policies for hyperlinks that specify that third parties cannot modify first-party scripts.
Researchers said that they plan to develop and evaluate such an integrity protection mechanism in the future work.
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.