This procedure is called Clickjacking and it is one of the most used techniques by hackers trying to gain access over your accounts or obtain private data.
How does clickjacking work?
It all starts with a user receiving an e-mail that mimics perfectly the messages usually sent by a company he is a client of. This e-mail would have to include a fake link for the user to reset the password used on the real company website when he would actually be providing the hackers access to his account. Knowing both the e-mail address and the associated password, they can now extract all the personal information they need and take over the specific account.
Practically, once the customer clicks on the button in the e-mail, he will end up on the hacker’s website. There, the latter will attempt to make an http/https call to the real company’s API’s/forms to reset the user’s password/e-mail address and take over his account.
When does clickjacking work?
In order for clickjacking to work, the user had to be previously logged in the account that he owns on the real company website. Also, if no CSRF protection is activated on the company’s end and official website/API accepts calls from other domains with no filtering, chances are that the operation becomes successful.
Clickjacking can also be simulated locally (on your machine) when you manually create an iFrame and inject the company’s forms. This however doesn’t impact the end user/ customer because it only takes place on that computer.
How can I be sure that I am not a victim of clickjacking?
We recommend all companies to implement the 2 following methods to keep safe from this kind of attacks:
- Do not accept requests from other websites (domains). If possible, use the x-frame-options header and set it to SAMEORIGIN so that other domains cannot access the methods/ API on your company’s end (this header should not be accessible / usable in all browsers).
- Implement CSRF token validation making sure that for each form display page there is an uniquely assigned CSRF token to the customer. The CSRF token can only be obtained by logging in as the real customer.