Clickjacking, where links on a website redirect unknowing users to spam, advertising or malware, has been around for decades. However, new tactics that defy the best mitigation efforts of browsers has led to it affecting millions of internet users browsing the web’s top sites, researchers found in a new study.
In crawling data from the Alexa top 250,000 websites, researchers discovered 437 third-party scripts that intercepted user clicks on 613 websites – which in total receive around 43 million visits on a daily basis. Making matters worse, click interception links are using new techniques – such as making the links larger – that are making them harder to avoid.
“We further revealed that many third-party scripts intercept user clicks for monetization via committing ad click fraud,” researchers said. “In addition, we demonstrated that click interception can lead victim users to malicious contents. Our research sheds light on an emerging client-side threat, and highlights the need to restrict the privilege of third-party JavaScript code.”
The researchers, who collaborated from the Chinese University of Hong Kong, Microsoft Research, Seoul National University and Pennsylvania State University,
published their findings in a paper, “All Your Clicks Belong to Me: Investigating Click Interception on the Web,” which they are discussing Thursday at the USENIX Security conference.
threatpost.com
