MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 162: BEWARE OF “Clickjacking”

Reference Number: ACG-CSB 040219162

 

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

         Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application or domain.

        Clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. The page could be a malicious page or a legitimate page which the user do not intend to visit.

         Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be made to believe that they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

        Clickjacking can turn system features on and off, such as enabling your microphone and camera when a JavaScript prompt asks for permission to access this information. It could also pull location data from your computer or other details that could facilitate future crimes.

         Links can be hidden under media and trigger a particular action, such as liking a particular page or ordering a product online. The user may need to meet certain conditions for the attack to actually be successful, such as staying logged into a social media accounts.

         User gets tricked into downloading something on their computer, then they have to deal with a compromised computer. In the best case scenario, they can get rid of the malware through an anti-virus scan. In the worst case, they would need to reformat their computer and reinstall the operating system.

         Clickjacking is an intrusive and damaging attack method that can lead to many serious consequences. Your company needs a way to proactively stop this attack from turning your website or content into a dangerous environment for users.

RECOMMENDATION

         All PNP personnel as well as the public are advised to follow these tips in order to avoid the risk of Clickjacking, to wit:

• Prevent framing from other domains: Stop a hacker from putting an invisible overlay on your popular content. The only way that your page can get served in a frame with this configuration is if it is in the same domain as the website;
• Add a frame killer to the website: JavaScript has a frame killer function that stops pages from being pulled into an iframe;
• Use antivirus programs, with automatic updates of signatures and software, on clients and servers;
• Avoid unsafe or suspicious website that asks to click on links; and
• Do not share a personal information
For additional information, please refer to the following websites:

• https://www.forcepoint.com/cyber-edu/clickjacking
• https://en.wikipedia.org/wiki/Clickjacking
• https://www.owasp.org/index.php/Clickjacking
• https://www.securityweek.com/three-ways-prevent-clickjacking


POINT OF CONTACT

         Please contact PMAJ ANGELICA STARLIGHT L. RIVERA, Asst. Chief, ARMD thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.

 

Download PDF file