- The research team found out almost 437 third-party scripts that intercepted user clicks on at least 613 websites.
- Researchers noted that while some of the scripts were used to intercept clicks and perform clicks on ads for generating ad revenue, other scripts were used to redirect users to malicious sites, tech support scams, and others.
What’s the matter?
Researchers from Microsoft Research, the Chinese University of Hong Kong, Seoul National University, and Pennsylvania State University have found out malicious clickjacking scripts that intercept user clicks on at least 613 popular websites.
A brief overview
Crooks leverage clickjacking scripts to hijack user clicks and perform unwanted clicks on online ads in order to generate revenue.
The research team detected clickjacking scripts on websites by creating a tool named Observer. This tool scans the Alexa Top 250,000 list of most popular websites for the presence of clickjacking scripts that intercept user clicks.
“OBSERVER focuses on three fundamental actions that JavaScript code might rely on to intercept clicks: 1) modifying an existing hyperlink in a page; 2) creating a new hyperlink in a page; and 3) registering an event handler to an HTML element to hook a user click,” said the researchers in their research paper.
Key findings
- Using OBSERVER, the researchers detected three different techniques to intercept user clicks on the Alexa top 250K websites such as click interception through hyperlinks, event handlers, and by visual deception.
- The research team found out almost 437 third-party scripts that intercepted user clicks on at least 613 websites.
- These websites received around 43 million visits on a daily basis.
- The academics noted that most of the clickjacking scripts were included in legitimate sites as part of advertising solutions.
- While some of the scripts were used to intercept clicks and perform clicks on ads for generating ad revenue (36% of all the pages), other scripts were used to redirect users to malicious sites, tech support scams, and others.
“We identify that many third-party scripts intercept user clicks to monetize user clicks. In particular, they intercept real user clicks to fabricate ad clicks as a new form of committing ad click fraud. Further, the landing URLs that they trick the users into visiting can be malicious,” researchers explained.
Researchers’ recommendations
The researchers also suggested the possible mitigations for the clickjacking attack,
- Researchers recommend organizations to ensure link and click integrity to prevent click-interception by hyperlinks and event handlers.
- They suggest detecting third-party scripts and distinguishing first-party scripts from third-party scripts so that visitors can identify if the redirection URL is provided by the first-party website or a third party.