#privacy: Clickjacking is still continuing to thrive

According to a research paper, clickjacking has become an extremely popular method of attack for online scammers.

Researchers at the Chinese University of Hong Kong, Microsoft Research, Seoul National University and Pennsylvania State University found that clickjacking is a threat that is evolving, and new tactics are emerging. 

Clickjacking is the process whereby attackers launch UI redressing attacks to hijack user clicks. 

“In particular, malicious websites trick a user into clicking components (e.g., a Facebook like button) different from what the user perceives to click, in order to send commands on behalf of the user to the different application they secretly embed.”

Researchers collected and analysed click-related behaviours for the top 250,000 websites on Alexa, a traffic-analysis site, and discovered 437 third-party scripts intercepting user clicks on 613 websites. All the sites collectively receive 43 million daily visits.

The researchers demonstrated that click interception could lead victims to malicious pages such as fake anti-virus software. Additionally it was revealed that “many third-party scripts intercept user clicks for monetization via committing ad click fraud.” In the analysis, 36% of the 3,251 unique click interception URLs were related to online advertising. 

Three different techniques were used to intercept user clicks. One involved intercepting hyperlinks by tampering with URLs or embedding hyperlinks to cover most of a page. The second technique involved adding an event listener to a page element, and the final technique was using visual deception. 

Although there are various techniques that can be used to intercept user clicks, it all depends on the implementation and the end user’s technical background. 

The researchers concluded:

“Our research sheds light on an emerging client side threat, and highlights the need to restrict the privilege of third-party JavaScript code.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.