Click jacking for Pain and Profit

Being click jacked on your mobile phone can be an expensive, painful business. Here's how it happens and how you can protect yourself.

Click jacking is headline grabbing again as Google released the latest version of its Android mobile operating system on Dec 6. Google has added security features that (they say) will harden Android to click jacking attacks.

 Click jacking goes by many names including web framing attacks but they all mean the same thing: profits for the predators at the expense of their victims. The attack is correspondingly more serious with the growth in mobile friendly web sites, particularly if those web sites have not implemented anti – click jacking code. Enthusiastic smart phone users with little concept of information security are even more prone to being click jacked.

How does Click jacking Work?

Click jacking is possible because seemingly harmless features of HTML Web pages can be employed to perform unexpected actions. A click jacked page tricks a user into performing undesired actions by clicking on a concealed link. On a click jacked page, the attackers show a set of dummy buttons, and then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The attackers can trick users into performing actions which the users never intended to do, such as

• performing an unintended financial transaction.

• embedding a script that can execute without the user's knowledge.

• being redirected to a malicious web site.

Here are some examples:

• The user receives an email with a link to a video about a news item, but another valid page, say a product page on, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from E-bay.

Face book was plagued with a scam that asked users to fill out a survey. The third step requested enter personal information including their phone number for a chance to win a prize. Hidden in the fine print, however, was a clause that said the user would be charged an extra $5 per week on their phone bill, as part of a so-called "Awesome Test."

 • Adobe suffered a click jack attack on their plug-in settings page. By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.

FYI, Stanford University has created a strong click jack method they call tap-jacking for research purposes.

Android Touch Filtering to Reduce Click jacking

This feature is supposed to eliminate or filter out mistaken touch commands. From what I’ve read the concept is valid as it is designed to prevent the user interface from allowing security sensitive functions from being enabled while their function is being obscured by other user interface activities. This is a fancy way of preventing sloppy keying. Since click jacking is based upon the premise of getting users to hit a key they would otherwise not click, reducing sloppy keying seems like a prudent step towards reducing click jacking.

How to Defend Against Mobile Click jacking

The two major ways of preventing click jacking are really up to the operating system vendors of smart phones and up to the operators of web sites – particularly mobile web sites. It is up to the former to deploy defensive code in the user interface to ensure that the current frame is the most top level window, and up to the latter to send the proper browser response headers that indicate an unwillingness to be framed, called frame-breaker script. Here’s how end users can protect themselves:

• Check the URL of a web page – be familiar with the valid name of the page you intend to visit.

• Make sure your operating system employs anti-click jacking functions.

• Ensure you’ve implemented all security patches on your software.

• Remove bogus links from any of your social networking profiles.

• Beware of any offers for free service or products.

• It’s only the predators that get something for nothing.

 Have a secure week. Ron Lepofsky CISSP, CISM

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.