Web clickjacking fraud makes a comeback thanks to JavaScript tricks

More than a decade after hitting the headlines, clickjacking fraud remains an under-reported hazard on hundreds of popular websites, a team of university researchers has found.

Clickjacking, or UI redressing, encompasses a range of techniques through which fraudsters hide something that you almost certainly wouldn’t click on, such as an unwanted ad, behind something that looks innocent, such as a bogus ‘Facebook Like’ button.

In practice, clickjacking takes many different forms, but what all have in common is that the page element you are clicking on has a hidden purpose.

The appeal of clickjacking to criminals is that it involves getting web users to do the clicking for them, which helps to make the fake clicks seem convincing.

The crooks could use robotic clickfraud to do the same job – indeed, many do – but machine clicks are often easier to detect, for example because they come from IP addresses associated with botnets, or produce patterns of clicks that look unnatural.

Bad clicks

In All Your Clicks Belong to Me: Investigating Click Interception on the Web, the team from The University of Hong Kong, Seoul University, Pennsylvania State University, and Microsoft Research, used a browser tool called Observer to analyse clicks on the top 250,000 Alexa-ranked sites, discovering 437 different clickjacking scripts on 613 websites.

While a small percentage of the total, these sites were still estimated to receive more than 600 million daily visits between them.

Predictably, around a third of sites used clickjacking for advertising fraud. The researchers didn’t have time to delve much further than this for other motivations but scamware such as fake antivirus was also in evidence.

While clickjacking scams have been a problem for more than a decade, the technical underpinnings of how the clickjacking happens through click interception continue to evolve, especially through the possibilities offered by JavaScript.

The researchers divided these into three techniques – interception by hyperlinks, interception by event handlers, and interception by visual deception.

Visual deception is the most straightforward of these – using visual tricks such as the mimicking of legitimate page elements to persuade users to click on something (i.e. hiding bad stuff behind what looks OK). This was used by about 20% of advertising clickfraud.

Another technique – used by 11% of advertising clickfraud – is to use programmed event handlers that are part of the site’s code to drive users to third-party URLs in ways that are hard to detect.

The most popular technique of all involved intercepting hyperlinks that users had clicked on by overwriting the href (hyperlink) attribute or by turning the entire page into a huge clickable element. The researchers conclude:

Existing studies mainly consider one type of click interceptions in the cross-origin settings via iframes, i.e., clickjacking. This does not comprehensively represent various types of click interceptions that can be launched by malicious third-party JavaScript code.

The researchers also noted that some websites deliberately participate in clickjacking scams for financial gain. Bluntly:

We revealed that some websites collude with third-party scripts to hijack user clicks for monetization.

Ironically, it could be that better detection of machine-made clicks is partly to blame for the increased use of old-style clickfraud that exploits humans instead.

If that trend continues, we could see an upsurge in clickjacking reengineered to be more sophisticated than the wave of a decade ago. Sometimes the old tricks turn out to be the best ones.