Clickjacking takes the form of embedded code, or the script that can execute without user’s knowledge, such as clicking on a button (or a link) that appears to perform another function. Clickjacking attack generally allows to perform an action on victim’s website, mostly cyber criminals target on Facebook and Twitter accounts.
Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.
Clickjacking Facebook – Likejacking is type of clickjacking attacks that targets Facebook’s ‘Like’ button. So, suppose the user visits the attacker’s website. The attacker can embed Facebook’s ‘Like’ button on his page and the attacker wants to trick the user to click on the “Like” button, so, how can he do that? First, he can create a decoy button that lures the user to click on it to claim a free iPad.
Then, he can reposition the ‘Like’ button exactly on top of the decoy button and, finally, he can make the ‘Like’ button completely transparent using CSS, so, when the user tries to click on the decoy button he ends up getting tricked to click on something he didn’t intend to click on
1] Cursor spoofing attack to steal webcam access : In this attack , attacker shows a you a screen where a video is popup with some amazing title with a button known as ” Click to watch “. And suppose the user moves the cursor over to the ‘Click to watch’ link and clicks. How many of you noticed that the real cursor was hidden all the time and now the cursor is on the ‘Allow’ webcam access button
2] Double-click attack to steal user private data :In the second attack the attacker asks the user to double-click a blue button on the page. When the user clicks on the button the attacker yields the screen real state to the Google auth dialog in the pop-up window, and the second click goes to that dialogue
As a result, the attacker was granted access to the user’s Google account.
3] Whack-a-mole attack to compromise web surfing anonymity : In the third attack the user is asked to play whack-a-mole game. We encouraged users to click on a sequence of buttons as fast as possible. From the beginning the real cursor is hidden and the user is tricked to control a fake cursor. So, after the user has successfully clicked on several buttons, a Facebook ‘Like’ button is repositioned under the user’s real pointer and which users may not notice while clicking.
The attack combines cursors spoofing and fast-paced clicking techniques and was the most effective attack, we found that 98% of users fell for it. So, once the user clicks on the ‘Like’ button the attacker can instantly reveal the user’s identity.