ClickJacking Attack: Things you must know

Clickjacking is the most widely used method by hackers to infect a target and spread the attack, in which the attacker deceives the user into disclosing private data and other account information necessary to spread the attack.

Clickjacking is basically a malicious script attack, also known as UI redressing, that takes over the links displayed in the Internet browser for various web pages. When this happens, the user is taken to a site, which is unintended when he tries to click on that link.

In other words, clickjacking is an embedded script or code that can click on a button that appears to perform another function without the user’s knowledge.

clickjacking attack


Sometimes a user is unaware of what has just happened, or in some cases, a user can immediately detect it. There are a few things about which everyone ought to be aware of this menace that can create havoc.

  1. Clickjacking happens when a website is embedded with a malicious program. This program hovers under the unaware user’s mouse, and if the user clicks the mouse on a page or link, a new web site appears or the downloading of software takes place.
  2. It’s a malicious script that can virtually run on any website without the owner being aware of it or having the ability to stop it. These attacks have been a significant cause of concern for many big companies and major websites like Facebook.
  3. By making the user believe that he is on the company website, clickjacking can create a mirror site and collect personal information.
  4. Except for very few browsers that are not based on graphics, they are immune from clickjacking software.
  5. Clickjacking can steal private data like social security numbers, credit cards, and bank information.
  6. This malicious script can work without the knowledge of the user and install several software applications on a computer. They could be harmful viruses, adware, or software that is more dangerous to the machine.
  7. A new clickjacking script has been disclosed that can be used to spy on your webcam and microphone in Adobe’s Flash software. Adobe’s Flash software is vulnerable as it enables clickjacking to gain access to the user’s microphone and webcam.

While the user visits a web page, unknown to him, the target application waits in the background and is loaded while it floats the unseen allow button. When the user clicks on the flash button, the hidden “allow” button receives your click.

The Flash application is now accessed with full permission and may even stream from your microphone and webcam to a server for recording.

Facebook created the “Facebook like” feature so that web developers could put the code on any website they wanted. The like button helps with quick sharing of the webpage you are reading with your friends.

Not only is it easy to use, but it is also easy to abuse in a clickjacking attack.

The scammer will just create a webpage containing some attractive tile, such as “Shocking Hidden Message in the Google Logo!” and a like button and some script.

The scammer will then ask you to “like” the page and will also demand that you share the page on your friend’s wall to expose the secret message. He just used you as a spammer and successfully carried out a clickjacking attack.

You might also like: How to hack Facebook password

How do you recognize a clickjacking attack?

The first clue that there is something awry with the site is its URL, which indicates it provides “free Facebook layouts.” Then, the page traps visitors with some fancy Javascript so that they cannot scroll down or leave the page without “taking a quiz.”

Even further, the page tries to scare visitors with a pop-up that says, “We have been receiving a lot of spambot traffic from an IP address similar to yours. Please complete a quiz to unlock the page”. This is a typical social engineering scare tactic popular with text messaging scams.

How can you protect yourself from a clickjack attack?

Many security software companies and browsers are working on how to counter and combat this malicious script attack.

Some suggest that the best way to counter clickjacking is to install the NoScript browser addon and allow only sites you trust to run active content.

How do scammers benefit from clickjacking attacks?

The only goal of scammers is to make money. Clicking any of the links in the above-discussed Clickjacking attacks sends a request to affiliate programs, most likely collecting clicks for a CPA (cost-per-action) program.

These requests happen so fast that the user would have no idea when and how other sites were being contacted.

Examples of clickjacking attacks:

1. “My total facebook profile views—Survey Scam

A new survey scam is spreading virally across Facebook, and already thousands of people have been scammed. The New SPAM claims to unveil your total Facebook profile views by following a few steps.

The scammers are using Facebook applications to post spam messages to the user’s profiles.

Again, I want to make it very clear that there is no way you can find “your total Facebook profile views” or “who viewed your profile.”.

Still, people are very curious to know these things, and while doing these stupid things, you are totally unaware of the risks involved.

Let’s see how this SPAM works:

At first, you will probably see a status update on your friend’s wall saying he has found out his total Facebook views, and the number XXX will be displayed beside that. Along with this, there will be another link to the Scammers application that says “Find out your total profile views [LINK]”. The link points to rogue applications that trick you into allowing them to access your Facebook page and profile details.

When you click on that link, you will be directed to a Facebook application that will request your permissions. As soon as you click “allow”, the app will automatically post status updates on your wall, which can be seen by your Facebook friends.

ClickJacking Attack: Things you must know

After you allow the app to access your profile and post to your Facebook page, you’ll next be taken to the web page, which claims it will calculate the number of people who have viewed your profile. But first, they want you to complete a survey.

ClickJacking Attack: Things you must know

Here comes the intention of these spammers. They are just doing their job of making money by tricking people. How? The scammers make money every time one of these surveys is completed.

How do you disable this clickjacking fraud in your account?

If you’ve been affected by this scam, you should first remove the status updates from this app. The next step is to remove this app from accessing your Facebook profile. To do so, go to Account >> Privacy Settings and scroll down. Click the edit option in the “Apps and Websites” area.

Direct link: http://www.facebook.com/settings/?tab=applications

ClickJacking Attack: Things you must know

Here you will see all the applications that can access your personal data and have the right to post on your wall. You can click on the app to find more information about it.

ClickJacking Attack: Things you must know

Click “Remove,” and now you can remove the app you want. In this case, the App will The apps are sorted according to the date when they were added. So the Spammers app that we are discussing now will be at the top.

2. “Find Your Stalker”: A New Facebook Clickjacking fraud

Its human nature; we are unknowingly tempted to check out sexy-looking stuff.

Scammers are using simple social engineering techniques to get hold of your Facebook account and promote their Products.

This time, scammers have more powerful Facebook clickjacking fraud. Now we have seen clickjacking fraud that could update your status and post the same scam link to your friends Wall automatically. But this spam is different; it also tags random friends from your friends list and checks them as your top stalkers.

Just observe the screenshot below. If you happen to see a message like the following posted on your wall by one of your Facebook friend’s, don’t click on the link.

Find Your Stalker - New Facwbook Scam

If you do make the mistake of clicking on the link—perhaps out of morbid curiosity to see your stalkers—you will be redirected to a page that claims you are about to find out who spends excessive time with your photos, reading your old posts, and blah blah.

They will ask you to run some scripts on your Facebook homepage. Once you run the JavaScript, the evil javascript script will start its work, and within minutes, it will flood your friend’s wall and your wall with the same spam.

This is a typical clickjacking scam.

How do I protect myself in the future?

Use the best Internet security software, and if you are using Firefox, then add the Add NoScript Plugin to your Firefox browser. NoScript allows active content to run only from sites you trust, and you can protect yourself against XSS and clickjacking attacks.

3. “Get 5000 likes in your status”—a Facebook Clickjacking scam

Not everyone gets hundreds of likes on their Facebook status posts. Some smart programmers have developed a script that can get any of your Facebook posts (status, photo, or video) loads of likes in just a few seconds. Yes, it’s true that the script was leaked a long time ago.

But the scammers have used this script to spread spam for their own benefit. In this clickjacking fraud, you will surely get hundreds of likes to your respective status post, but at the same time, you will be posting this spam message: “Get 5000 likes in your status! [URL]” to all the groups you are a member of. Thus spreading this clickjacking fraud further.

The scammers have actually used two scripts to trap you:

  1. Facebook app to Auto-Post to all the groups you are a member of.
  2. Facebook auto-liker app script

Here’s the actual spam post in Facebook groups:

ClickJacking Attack: Things you must know

When a user clicks the [link] provided in the SPAM post, he will be redirected to a page that will ask you to complete a few steps, which involve getting the token code by allowing their Facebook app to access your Facebook profile data.

Here’s how it looks:

how to  Get 5000 likes in your Status

Once the user clicks the “get token” button, he/she will see a pop-up asking to allow a particular Facebook app to auto-post to all the groups.

Once you give all the permissions to their app, they can post any message anywhere on behalf of you. The moment you realize this, you have already posted the message “Get 5000 likes in your status! [URL]” to all the groups you belong to. 

how to  Get 5000 likes in your Status

Next, you will be asked to input a token code, and after submitting the token code, you will be able to input “status ID,” for which you want loads of likes. And yes, you will get loads of likes as promised, but the untold truth is, you just became another spammer spreading clickjacking fraud.

How am I promoting this fraud?

Once you share their post in all the groups, the group members will obviously click on the [link] provided and, in turn, will become victims by promoting it further. In this course, the SPAM developers are making money by monetizing advertisements (which are normally made with Viagra ads), and you are the one who is getting scammed as well as acting as a spammer.

How do I get rid of this clickjacking scam? (Get 5000 likes in your Status!)

If you are a victim of this spam, don’t worry. Just go to “App Settings” on Facebook and look for the recent apps that you have given permissions to and remove all of them.

how to  Get 5000 likes in your Status

The scammers are using several dozen apps, namely CityVille, Xperia, Twitter, and other genuine-looking names. So observe them carefully and remove them. 

4. “Revolving Images” inside Facebook: Clickjacking spam

There are some websites like (do not try that script) that are promising to rotate the images on your Facebook profile, and yes, it is possible, but along with this, they are also promoting Facebook status spam.

When you try that JAVA script, you will see the images rotating, and the worst part is that you will automatically post this website link to all your friends walls. When you copy and paste that script in your address bar, hit enter. The current script basically attaches the external script to your current page, which eventually makes the browser run that script.

Below is a screenshot of the spam:

Alert JAVA Script of Revolving Images is spreading Facebook status SPAM

How do I get rid of this ‘Revolving Images’ script?

If you are already infected, then this script might be posting automatic status updates on your wall after a particular time gap. To stop this, just clear your browser’s “Cookies and Cache.”

5. Facebook virus “Koobface” uses clickjacking attack to spread through messenger

A couple of weeks ago, I received a message from my friend asking me to check out some links that actually redirect you to a malicious website.

At first, I thought this guy was playing around with a keylogger. But after that, I have been getting this kind of message every day. then I realized this is another Facebook clickjacking spam.

The best part of this virus is that when you click on the link in the message, the virus automatically creates a group of your friends and sends them a copy of the message from you. Yesterday, I accidentally clicked on the link, and thank God my all-time favorite AVG internet security saved me.

Koobface facebook virus

Below is a screen shot of a message. The link in the message disguises a Trojan worm and should not be clicked.

example of Koobface facebook virus

If you’ve received a message like that through Facebook messages, you may have been exposed to the serious “Koobface” virus. Once the URL is clicked, “Koobface” prompts you to update your Flash player. Therein lies the virus, cloaked in a “flash_player.exe” file.

According to the Kaspersky Lab, an antivirus organization working closely with Facebook, “Koobface” transforms victim machines into zombie computers to form botnets.

How does it work?

When you click on the link in the message, the “Koobface” gets into action. Then it finds the appropriate Facebook cookie and it modifies the users account settings and profile – Sending messages containing links to malicious sites to trick your friends into installing the invader.

Breaking News Lady Gaga Found dead in Hotel room

I hope this article helps you understand clickjacking better and provides intelligence on identifying clickjacking scripts in the future.

Related articles:

  1. 4 ways to hack someones email account
  2. How to find someones IP address on Facebook
  3. How to Get the IP address of an Instagram user
  4. How to tap someone’s cellphone
  5. Facebook fake account finder app
  6. How can i trace the location of a Facebook user
  7. How to hack IP address from Facebook
  8. Facebook hack tool
  9. Hack Facebook account online

Ashwin S

A cybersecurity enthusiast at heart with a passion for all things tech. Yet his creativity extends beyond the world of cybersecurity. With an innate love for design, he's always on the lookout for unique design concepts.