Analysis Clickjacking, which came to the attention of security types more than a decade ago, continues to thrive, despite defenses deployed since then by browser makers.
Boffins from Microsoft and universities in China, South Korea and the US recently looked at the Alexa top 250K websites and identified three different clickjacking techniques currently being used to intercept clicks.
In summary, malicious browser extensions, and dodgy third-party scripts loaded by pages, can quietly alter URLs in links to redirect netizens elsewhere on the web, or trigger more code to run in the background. The goal by the makers of this stuff is to get victims to inadvertently click on adverts, set cookies, fool affiliate programs, download and run malware, and suchlike.
The researchers – Mingxue Zhang and Wei Meng from Chinese University of Hong Kong, Sangho Lee from Microsoft Research, Byoungyoung Lee from both Seoul National University and Purdue University, and Xinyu Xing from Pennsylvania State University – are scheduled to present their findings at the USENIX Security conference on Thursday.
In a paper titled, "All Your Clicks Belong to Me: Investigating Click Interception on the Web," the computer scientists describe how they developed their own browser-based analysis framework called Observer to monitor click interception. They did so because the dynamic, event-driven nature of web applications makes it difficult to assess the scripts responsible for interfering with click events simply by looking at application code.
Among the top 250,000 Alexa websites, they found 437 third-party scripts intercepting user clicks on 613 websites that collectively receive 43 million daily visits.
The researchers reported that scripts tricking users to click on page elements disguised as first-party content or implemented as nearly invisible elements placed atop first-party content. They also said they found third-party scripts intercepting users clicks to monetize them, which they describe as a novel click fraud technique.
"We revealed that some websites collude with third-party scripts to hijack user clicks for monetization," the paper says. "In particular, our analysis demonstrated that more than 36 per cent of the 3,251 unique click interception URLs were related to online advertising, which is the primary monetization approach on the Web."
In addition to advertising, clickjacking may be used to drive malware installation. The researchers identified only two such campaigns, but suspect there are many fiddling with click events, noting that it was beyond the scope of their study to analyze the two million URLs in their data set for malware.
The clickjacking techniques discussed include: intercepting hyperlinks, either through third-party scripts that tamper with first-party URLs or huge hyperlinks that cover most of a page by enclosing much of the HTML or a large background image; adding a navigation-related event listener to a page element; and using visual deception (copying a first-party design element or a transparent overlay).
In a phone interview with The Register, Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, described how such click interception might be accomplished.
"If a user downloads a toolbar or extension, the extension sees everything in the browser so it can not only replace or inject ads, it can also inject clicks," he said. "What those extensions might do is call a URL so a cookie gets planted, making an affiliate network believe an affiliate partner drove the sale so it pays a revenue share."
As an example, he said, a webpage might include a hidden iframe that loads an Amazon.com page to place a cookie with an affiliate code, which gives the designated affiliate credit for purchases within the next 30 days.
Fou pointed to the prosecution of an eBay affiliate for cookie stuffing back in 2013 and said he had recently heard from one of the largest affiliate networks in China that such fraud remains a major problem. "That kind of clickjacking is alive and well and as bad as ever," he said.
Google in 2017 announced changes to its Chrome designed to prevent two types of automatic redirection that were being abused. But as the research paper states:
"Chrome still cannot detect and prevent other possible ways to intercept user clicks, including but not limited to links modified by third-party scripts, third-party contents disguised as first-party contents, and transparent overlays."
Fou said there's a way to fight clickjacking-driven fraud but it isn't technical. "Literally rip out all the third-party scripts from your website," he said.