How dodgy browser plugins, web scripts can silently rewrite that URL you were about to hit – and throw you into an internet wormhole

Analysis Clickjacking, which came to the attention of security types more than a decade ago, continues to thrive, despite defenses deployed since then by browser makers.

Boffins from Microsoft and universities in China, South Korea and the US recently looked at the Alexa top 250K websites and identified three different clickjacking techniques currently being used to intercept clicks.

In summary, malicious browser extensions, and dodgy third-party scripts loaded by pages, can quietly alter URLs in links to redirect netizens elsewhere on the web, or trigger more code to run in the background. The goal by the makers of this stuff is to get victims to inadvertently click on adverts, set cookies, fool affiliate programs, download and run malware, and suchlike.

The researchers – Mingxue Zhang and Wei Meng from Chinese University of Hong Kong, Sangho Lee from Microsoft Research, Byoungyoung Lee from both Seoul National University and Purdue University, and Xinyu Xing from Pennsylvania State University – are scheduled to present their findings at the USENIX Security conference on Thursday.

In-depth

In a paper titled, "All Your Clicks Belong to Me: Investigating Click Interception on the Web," the computer scientists describe how they developed their own browser-based analysis framework called Observer to monitor click interception. They did so because the dynamic, event-driven nature of web applications makes it difficult to assess the scripts responsible for interfering with click events simply by looking at application code.

They built Observer by customizing the open source Chromium browser so they could mediate all JavaScript-driven access to web links in the browser's rendering engine, to identify the initiator of the URL in each link. Their framework, which they say they will release as open source code, also provides visibility into the creation and execution of JavaScript objects and allows the monitoring of all event handlers on every HTML element and of JavaScript navigation APIs. In short, it offers a window into where scripts go bad.

Among the top 250,000 Alexa websites, they found 437 third-party scripts intercepting user clicks on 613 websites that collectively receive 43 million daily visits.

The researchers reported that scripts tricking users to click on page elements disguised as first-party content or implemented as nearly invisible elements placed atop first-party content. They also said they found third-party scripts intercepting users clicks to monetize them, which they describe as a novel click fraud technique.

"We revealed that some websites collude with third-party scripts to hijack user clicks for monetization," the paper says. "In particular, our analysis demonstrated that more than 36 per cent of the 3,251 unique click interception URLs were related to online advertising, which is the primary monetization approach on the Web."

In addition to advertising, clickjacking may be used to drive malware installation. The researchers identified only two such campaigns, but suspect there are many fiddling with click events, noting that it was beyond the scope of their study to analyze the two million URLs in their data set for malware.

The clickjacking techniques discussed include: intercepting hyperlinks, either through third-party scripts that tamper with first-party URLs or huge hyperlinks that cover most of a page by enclosing much of the HTML or a large background image; adding a navigation-related event listener to a page element; and using visual deception (copying a first-party design element or a transparent overlay).

In a phone interview with The Register, Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, described how such click interception might be accomplished.

"If a user downloads a toolbar or extension, the extension sees everything in the browser so it can not only replace or inject ads, it can also inject clicks," he said. "What those extensions might do is call a URL so a cookie gets planted, making an affiliate network believe an affiliate partner drove the sale so it pays a revenue share."

As an example, he said, a webpage might include a hidden iframe that loads an Amazon.com page to place a cookie with an affiliate code, which gives the designated affiliate credit for purchases within the next 30 days.

Cookie stuffing

Fou pointed to the prosecution of an eBay affiliate for cookie stuffing back in 2013 and said he had recently heard from one of the largest affiliate networks in China that such fraud remains a major problem. "That kind of clickjacking is alive and well and as bad as ever," he said.

Fou said the researchers have not only documented affiliate fraud through attribution URL flooding, they've also documenting other forms of display ad fraud that are not well known and also very well hidden. He pointed to JavaScript include directives that happen dynamically so code scanning won't show malicious content and to clickjacking that leads to a roadblock/page-takeover ad that the user has to close before reaching their intended destination. These clicks, he said, can be made to look like ad clicks when the user is really just trying to navigate.

Google in 2017 announced changes to its Chrome designed to prevent two types of automatic redirection that were being abused. But as the research paper states:

"Chrome still cannot detect and prevent other possible ways to intercept user clicks, including but not limited to links modified by third-party scripts, third-party contents disguised as first-party contents, and transparent overlays."

Fou said there's a way to fight clickjacking-driven fraud but it isn't technical. "Literally rip out all the third-party scripts from your website," he said.

"Publishers were thinking that by adding more scripts, they could make more money. But they're making less money and their audience is being stolen from them. It's harming the user experience. Once you put someone else's JavaScript on your page, they can then change its function at any time in the future and you'll never know it. That's how all this malvertising is happening." ®