Clickjacking scripts found on 613 popular sites, academics say
A team of academics from all over the world has found malicious scripts that intercept user clicks on 613 of today's most popular websites.
The practice, known primarily under the term of clickjacking, has been plaguing the advertising industry for years, with criminal groups taking advantage of it to perform hidden or unwanted clicks on online ads to boost their profits.
For years, crooks have relied on malware or automated scripts to generate fake clicks on hidden ads, but in recent years, criminal groups have started migrating to techniques that hijack real user clicks.
In a research paper published earlier this month, academics from Microsoft Research, the Chinese University of Hong Kong, Seoul National University, and Pennsylvania State University have set out to record how widespread this new trend really is.
The research team created a tool named Observer that they used to scan the Alexa Top 250,000 list of most popular websites for the presence of malicious scripts that intercept user clicks through one of three main techniques.
1. Click interception by hyperlinks -- when malicious actors use rogue scripts to enclose legitimate links on the original site to hijack their destination.
2. Click interception by event handlers -- when malicious actors use rogue scripts to modify a website's event handlers and hijack the user's mouse click and cursor and redirect it toward another element or section of a web page.
3. Click interception by visual deception -- when malicious actors use rogue scripts to create elements on a legitimate site that look like the site's original content (Mimicry technique), or create transparent overlays around legitimate content, hijacking clicks meant for other elements.
"Using OBSERVER, we identified three different techniques to intercept user clicks on the Alexa top 250K websites, and detected 437 third-party scripts that intercepted user clicks on 613 websites, which in total receive around 43 million visits on a daily basis," researchers said.
The results of the Observer scans are below:
Some of the malicious scripts were used to intercept clicks and perform clicks on ads for monetary profit, while other scripts intercepted clicks to redirected users to malicious sites showing scareware, tech support scams, or peddling malware-laced apps.
Some scripts were blunt in their actions, but researchers said that others were more sophisticated and included techniques to avoid being too intrusive.
"We also detect a few cases that third-party scripts selectively intercepted user clicks," researchers said. "In particular, they would limit the rate at which they intercept the clicks to avoid a user's suspicion."
According to data collected by the research team, most of the clickjacking scripts were included in legitimate sites as part of advertising solutions.
In total, researchers said that roughly 36% of all the pages where they spotted clickjacking (click interception) the scripts were being (ab)used to generate ad revenue.
Researchers said the reason why these techniques are becoming rampant is because online advertisers are deploying better solutions to detect bot-generated (programmatic) clicks. As a result, criminal groups are resorting to these techniques that hijack real user clicks to perform actions that were previously performed by automated scripts or malware.
They expect the problem to increase in the coming years. To protect users, they suggest that browsers show information about who created a link on a page when the user clicks or hovers their mouse over a URL -- such as showing if the link was created and added to the page by the original site domain, or by a third-party domain.
However, the practicality of such a solution is still under debate, as it could greatly slow down page-to-page navigation.
Additional technical details about this research can be found in a white paper named "All Your Clicks Belong to Me: Investigating Click Interception on the Web," presented at the USENIX security conference earlier this month.