What is clickjacking? Understanding the hidden cyberthreat

Have you ever clicked on a harmless-looking button only to find yourself redirected somewhere unexpected? Or did you press “Play” on a video and end up “Liking” it instead? Welcome to clickjacking—a world of smoke and mirrors where cyber tricks manipulate what you see on your screen. Beyond being annoying, it can have serious consequences, from hijacking your social media accounts to stealing personal data. How does clickjacking work, and how can you avoid it? Read on to find out and stay safer online with privacy and protection tools from Avira Free Security.

What is clickjacking?

It’s like hijacking, but your online clicks are “stolen”, and no balaclavas (nor planes and cars) are involved. The term “clickjacking” is a mash-up of “click” and “hijacking”, which is exactly what happens: A cybercriminal hijacks your clicks and uses them to perform specific actions in their favour. So, it’s a sneaky type of cyberattack and uses a misleading or invisible interface to trick users into clicking on something they never intended to. There are various types of clickjacking attacks, and these go by slightly different names, such as “user interface (UI) redressing” or “UI redress attacks”.

Whatever clickjacking is called, it’s always a digital optical illusion. You think you’re clicking on a harmless button or link—maybe to watch a funny cat video or claim a great discount on running shoes—but you’re actually activating something that’s hidden beneath. This could be:

• Liking or sharing a post without meaning to.
• Switching on a webcam or microphone without your permission.
• Making purchases online or transferring money.
• Changing account settings.
• Sharing your login credentials or other sensitive information.
• Visiting malicious web pages or downloading malware that runs in the background.

Since everything appears normal on your screen, you might never realise what’s happened—until it’s too late.

How does clickjacking work?

Clickjacking exploits a simple trick: Layering a hidden, transparent web page over another web page to disguise what your click will truly achieve. This is called an overlaying attack. The fake layer has its own JavaScript code and UI elements, so it can take over and function independently. It’s like a silent, evil coup. Unsuspecting users will navigate the web page, expecting it to work normally, but… it’s the attacker’s script working instead!

Attackers use HTML frames or inline frames (iframes) to achieve their scam. An iframe is a frame within a frame and allows content from other sources to be embedded onto webpages. For example, if you visit a website with a secretly embedded YouTube video, that video will sit within an iframe.

Cybercriminals style their clickjacking in various ways, but here’s the typical anatomy of an attack:

Step 1: They create a malicious webpage. This could be anything from a fake giveaway page to an innocent-looking news article. The invisible iframe will be carefully positioned so that its dummy button is located directly on top of the real button (or a malware download). Hackers use various techniques to make websites do their bidding. Cross-site scripting (XSS) can be used to manipulate online forms, web pages, and even servers.

Step 2: They entice their targets to visit the dummy webpage. Now that the trap has been set, attackers often use social engineering tactics, like fake emails, WhatsApp scams, and telephone scams, to lure victims. They might tell victims that they’ve won an iPhone or urgently need to log into their bank account to deal with a security issue. 

Step 3: The victim performs the desired action. Now it’s time for the innocent website visitor to complete their job as a puppet. They might, for example, click where the hacker wants them to or enter their personal details.  They think they’re interacting with what they see, but their clicks and input land elsewhere.

Clickjacking or cursorjacking? What’s the difference?

You might also hear of cursorjacking, so here is a quick explanation of how it differs from other clickjacking variations. Cursorjacking is a type of clickjacking attack, so it belongs to the same dubious family, but it occurs when a bad actor (i.e., a hacker or other type of cybercriminal) replaces a real cursor with an imposter. The victim sees their cursor in one location when it is, in fact, pointing at something else entirely, causing them to accidentally click where the hacker intended (most likely a malicious link or infected attachment).

What are the purposes of clickjacking?

User interfaces can be cloaked with many types of links and invisible layers, giving creative cyber attackers extensive options. So, what are they hoping to achieve? As you’ll have realised by now, theft is usually the goal—of your money or data.

• Stealing login credentials: You think you’re entering your password into a trusted site, but it’s actually being sent to a hacker.
• Spreading social media scams: Attackers trick you into liking or sharing a post or phishing links so it goes viral and they achieve more views and interactions.
• Capturing more social media followers: When you inadvertently like or share a post or follow an account, you’ll help boost the account’s popularity, lending it—and any products it may be endorsing—more credibility. Don’t end up as part of someone else’s marketing campaign! When the Facebook Like button is manipulated, it’s called “likejacking”.
• Tricking users into making purchases: You might think you’re clicking “See more” but could end up completing real transactions, like buying whatever dodgy product is being marketed.
• Activating a webcam/microphone: In some cases, attackers use clickjacking to grant themselves access to your device’s camera or microphone (audiojacking). They can then record meetings, learn more about you, your business and clients, or even blackmail you.
• Downloading malware: Clicking a disguised button could mean you’re agreeing to download malware (like adware or even ransomware), which then silently installs itself on your device.
• Accessing files on the victim’s hard drive: Welcome to filejacking. Attackers use your web browser to navigate through your computer and steal personal data.
• Stealing browser cookies: These digital crumbs of your browsing history can help hackers gain unauthorised access to your online accounts, giving them the freedom to make purchases or even steal your identity. It’s a good idea to clear cookies to help avoid cookiejacking.
• Exposing someone’s location: Based on your IP address, a hacker can often determine your approximate location. They might also install spyware or other malware to gain more insight. Based on your location, they can potentially target you with personalised scams and commit identity theft, as well as track your movements, identify your home address, and even stalk you.

What are the signs that you might be a victim of clickjacking?

Although clickjacking manipulations are designed to be invisible, there are still a few red flags to look out for. Here is an overview of quick questions to help you unmask a possible attack:

• Have you noticed unexpected social media activity? For example, did you recently “like” a page or post or follow an account but don’t remember doing so?
• Are you suddenly experiencing weird pop-ups or page redirects? You click  somewhere and then find yourself in a strange new location.
• Are you clicking on a button, but nothing happens? This is called phantom clicking and may indicate that a hidden layer is at play.
• Has your browser gone slightly mad? Have you noticed unexpected downloads, unknown login attempts or strange permission requests for your camera or microphone?
• Do a website’s design or buttons look wrong? If anything on a website seems oddly placed or slightly transparent, it could be the result of a less-than-gifted designer or mean that an overlay is at work. Be cautious when clicking.

If you answered “yes” to any of the above, then you may be in the throes of a clickjacking attack. Act fast to scope out the damage and help prevent any further problems. Run a scan with a reputable anti-malware solution like Avira Free Antivirus. Change the passwords of affected accounts and make sure these are strong and unique. A password manager like Avira Password Manager can do this for you and helps store them securely. Avira Free Security contains these and other essential online privacy and protection tools.

Keep a close eye on your back and credit card statements, and contact your bank and the relevant local authorities immediately if you suspect fraud.

For technical enthusiasts: Clickjacking protection for IT

There are two general methods IT teams deploy to help fend off clickjacking.

Client-side clickjacking protection

Client-side methods focus on preventing attackers from tricking users through their browsers. One effective way is to use JavaScript-based frame-busting techniques. These detect when a page is embedded in an iframe and force it to break out. For example, a simple script can check if the page is being framed and redirect the user to the main site. Sadly, these methods aren’t foolproof, as savvy attackers can disable or override them.

Server-side clickjacking protection

Server-side defences are often considered more robust and reliable. A popular method is by using HTTP headers, such as the frame-ancestors directive, which is part of the Content Security Policy (CSP). These tell the browser whether a webpage can be loaded inside an iframe. The X-Frame-Options header also helps control this, though it has been largely replaced by CSP directives. The X-Frame-Options header supports values like SAMEORIGIN, which allows a webpage to be framed only by pages from the same origin, helping to prevent malicious embedding by third-party sites.

For even greater security, websites can combine frame-busting with user authentication. For example, deploying CAPTCHA before performing sensitive actions can prevent users from accidentally making changes. Security guidelines from organisations like OWASP recommend using multiple layers of protection to reduce the risk of clickjacking attacks.

Additionally, some browser add-ons help detect and block hidden iframes, offering users an extra layer of defence against clickjacking threats.

Together, client-side and server-side methods can help make websites more effective at blocking clickjacking attacks so they better protect users’ clicks from being used as weapons against them.

How your actions online help keep you safer from clickjacking

Being highly aware of social engineering can go a long way in thwarting clickjacking, as this is a preferred hacker attack method. As always, follow common-sense rules and internet best practices to stay safer online.

• Be vigilant online and keep careful track of your social media profiles and online accounts so you’ll be more likely to notice unexpected activity.
• Think before you click. Be sceptical if something seems too good to be true—like a surprise prize or an unbelievable discount. And don’t click on pop-ups, especially on unfamiliar sites. Text-based clickjacking (a type of smishing fraud) is becoming more common. So, avoid engaging with texts from unknown senders. If you’re tempted to click, hover over the link first to reveal the true URL and see where it leads.
• Use an ad blocker. Malicious ads can be vehicles for clickjacking attacks. A good ad blocker can help put the brakes on them so they don’t appear in the first place.
• Disable scripts on shady websites. Some browsers like Avira Secure Browser come with built-in security features and help block harmful scripts from running in the background. They can also help block ads and dangerous websites from loading.

• Enable browser security settings. Browsers like Chrome and Firefox offer some protection against clickjacking. Keep them updated and enable security and privacy features. Don’t ignore browser warnings on the sites you visit. If you’re warned not to proceed, take the hint. Browse our guide on how to check website safety.
• Enable multifactor authentication. Adding a second line of defence with two- or multifactor authentication (like a passcode sent via SMS or email) means that cybercriminals are locked out even if they steal your password.

Get free, robust protection as a convenient single solution

Bringing in trusted technological reinforcements is key to helping protect yourself against cybercrimes, including clickjacking. Avira Free Security blends a powerful antivirus, password manager, software updater, VPN, and more to build a multi-layered defence against even the latest online threats. Help protect all your devices with Free Security for Windows, the security solution for Mac, the security app for iOS devices, or the antivirus app for Android phones and tablets.

Clickjacking doesn’t get as much attention as other cyberthreats, like phishing, but it can be equally dangerous—because you might not even know it’s happening. Keep your browser and device’s security tight and stay aware to help avoid falling for these hidden traps.

And remember: Just because you see something on your screen doesn’t mean it’s real.