Anatomy of a Clickjacking Attack

Print Friendly, PDF & Email

This is part one of a two-part post on how Web site clickjacking attacks work, and how to prevent them.

The success of Facebook clickjacking is due in large part to the social nature of the Web site. Users of Facebook are MUCH more likely to click on a particular link if (s)he believes that the link was posted by a friend. Unfortunately, attackers also understand this dynamic and as a result, they are using Facebook as a new vector to deliver attacks.

What is Clickjacking?

Clickjacking (aka user interface (UI) redressing)  is an attack where an attacker has injected malicious content onto compromised page (Web site A) to trick the user into clicking on a link or button from another domain (Web site B). Typically the attack is set up by the creation of an invisible or disguised iFrame on Web site A that points to a UI button on Web site B. The button could be used to launch a forged cross site request, to download malware, or for any other malicious activity.

How does this Apply to Facebook?

In the recent Facebook Clickjacking attacks, an attacker sets off a variant of a Facebook worm that sends users to a clickjacked Web page that exploits Facebook’s “Like” infrastructure. This is accomplished through a series of well-designed steps:

1. Find the Victims.

The attacker likely created a spam email, banner ad or some other type of bait to trick people into clicking the malware. The bait could be a spoofed link to pornography, free products, celebrity gossip, or any other enticements. For our example, let’s assume the bait is an email with a link that says “Check this New Video of a Dancing Bear!”

2. Clickjack the Victims’ Facebook Accounts.

Once the victim clicks on the malware link, the bait will take the user to an intermediary page displaying a warning that asks the user to “Click to continue” or “Verify that you are least 18 years old” to view.  This is where the clickjacking occurs. On this page there is an invisible iFrame that uses JavaScript to silently follow the user’s mouse icon. No matter where the user clicks on the page, the victim will end up clicking on the hidden iFrame that launches a clickjacking attack on the user’s Facebook page.

3. Spread to the Victims’ Social Networks.

Because most users are permanently logged into Facebook, if the user clicks anywhere on the clickjacked page, a link is published on the Victim’s Profile with the same link used to lure the original victim of the attack:

“Check this New Video of a Dancing Bear!”



This appears on all of the user’s contacts’ Facebook News Feed. If any of the victim’s friends on Facebook clicks the link, they are also sent to the clickjacked page. If the new victim clicks anywhere on the page, a “Like” link would be added to their Facebook profile, starting the cycle again.

Check out part two of this post on how to prevent a clickjacking attack.

Scroll to top