A global team of tech researchers has found clickjacking scripts in at least 613 of the world’s most popular websites, which are exploited by hackers in order to send automated clicks to different advertisements to earn more money or to send an unknowing victim to malicious sites infected with malware.
In a research paper published earlier this month, academics and tech researchers from Microsoft Research, the Chinese University of Hong Kong, Seoul National University, and Pennsylvania State University detailed how prevalent clickjacking is and to warn advertisers and users of the dangers they might face.
The white paper entitled: All Your Clicks Belong to Me: Investigating Click Interception on the Web, discusses how criminal elements are using clickjacking techniques in order to solicit hidden and unwanted ad clicks to boost profits. Clickjacking has been a widespread problem in the advertising industry for quite some time, and the results of the study highlight how this form of online attack is not only dangerous but is potentially invasive.
“Clicks are also critical in online advertising, which fuels the revenue of billions of websites. Because of the critical role of clicks in the Web ecosystem, attackers aim to intercept genuine user clicks to either send malicious commands to another application on behalf of the user or fabricate realistic ad click traffic,” reads the White paper published by the researchers.
In the past, according to researchers, hackers have been using automated scripts to generate fake clicks on hidden ads; however, the researchers were able to determine that criminal elements have started adopting other techniques that hijack clicks made by real users and site visitors.
The team has developed a tool, called “Observer” to scan Alexa’s Top 250,000 list of most popular websites to look for scripts that intercept clicks made by site visitors. Their search was focused on three different categories: Click interception by hyperlinks, Click interception by event handlers, Click interception by visual deception.
The first technique which intercepts clicks using hyperlinks refers to the process of masking legitimate hyperlinks using rogue scripts in order to hijack the clicks the link gets and redirect users to a different location. The second technique is done by malicious actors by modifying website’s event handlers through malicious scripts in order to hijack user’s mouse click and cursor and redirect it toward another element or section of a web page.
Lastly, criminal elements are using visual deception in order to trick users into elements on a legitimate site that look like the site’s original content. It is also called the mimicry technique. Sometimes, the hackers are also inserting a transparent overlay on an element to hide a malicious script which could redirect the click into a different location.
“Using OBSERVER, we identified three different techniques to intercept user clicks on the Alexa top 250K websites and detected 437 third-party scripts that intercepted user clicks on 613 websites, which in total receive around 43 million visits on a daily basis,” the researchers wrote in the white paper.
The results of the study conducted by the team of academics revealed that some of the scripts they found from popular websites are meant to intercept clicks and perform clicks on ads for monetary profit. Some of them, on the other hand, are used by criminal elements to redirect user clicks to malicious URLs. These URLs include scareware, bogus tech support ads, and ads that sell malware-infested apps and websites.
For the first technique that they searched for, the researchers said that they had found a huge number of hyperlinks that are designed to intercept user clicks.
“We observe 120 huge third-party tags on 119 websites. These anchor elements enclose contents whose size is at least 75% of the browser window size. As a result, a visitor has a very high chance to click such an anchor element,” they said.
Furthermore, they also found out that in the websites they have tested, they discovered 203 elements across 172 websites were attached with navigation event handlers, which would drive a user to a third-party URL upon click. They also uncovered 140 mimic third-party element groups on 87 websites and 146 transparent overlay third-party element groups on 144 websites.
“These third-party contents are carefully designed to resemble nearby first-party contents. Hence, unwary users are very likely to be fooled and consequently click them,” they added.