Geek4Eva

Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. (Source: http://en.wikipedia.org/wiki/Clickjacking)

[Image Source]

Here is a simple example where clicking anywhere on the screen (except header and footer) takes the user to another website. http://www.collegehumor.com/video:1928558

Prevention

Currently it seems like there is only one way of protecting against such attacks and that is by using the ‘NoScript‘ add-on for Firefox.

One more quick example of a phishing email.

As per the tip in my previous post: checkout the domain name.

It is actually replaced by an IP address

OWASP (Open Web Application Security Project) recently released OWASP Top 10 – 2010 rc1, their new Top Ten List of website vulnerabilities.

At number eight (8) there is a new entry – A8 – UnvalidatedRedirects and Forwards (NEW). I thought I’ll briefly talk about it as it recently happened with me.

I received the following email from a friend on Facebook (FB). When a user on FB sends an email with a link, FB prefixes the link with its own URL: http://www.facebook.com/<sometext>/<original link>

As any normal user I clicked on the link thinking what it must be.

The link redirected me to the following page:

What this page was trying to do was: it displayed the message “Content requires Adobe Flash Player 10.37…”.
If the user clicked on ‘Install’ it downloaded a “setup.exe” file.
On double-clicking it, it would have tried to infect your PC.

If you look at the page closely there are number of issues in there to help the user identify that it is a phishing page.

1. The title of the page (on top left) is spelt wrongly – YuoTube
2. User has used Facebook’s icon as the website icon
3. The link/URL is neither Facebook.com nor Youtube.com, in fact it is just an IP address
4. Message “…Contect requires Flash Player…” is itself embeded inside a flash video. As in flash is already installed and running on the page.

Hacker has tried to make the page look as similar as possible to Youtube, but it fails big time. Above are some of the quick noticable items, but this page actually nowhere close to a real Youtube page.

TIP: The best way to identify if it is a phishing site or not is by noting the domain name of the website. If the domain name does not sound familiar to the site you were supposed to be at then there is something wrong.