NEW ClickJacking Attack

December 8, 2008

A new attack method that is being addressed by web technologists is the ClickJacking attack.  ClickJacking is a new type of attack vector whereby a user unintentionally clicks on a button or object that is hidden underneath a legitimate object.

Everyday we click on websites – we click all over them.  And our lessor informed computer user colleagues (LICUCs) click frantically without really understanding who is in control and what is coming next. It could be a simple “Yes” button to agree to something or a “submit” button for your password. But do we know what we’re actually clicking? If we’re not careful, we could become a victim of a ClickJacking attack.

With ClickJacking, an attacker could potentially place a “transparent” button under or over a legitimate button, making it difficult for users to detect. The mechanism for getting the malicious clickjack button in place could involve taking advantage of Adobe Flash as well as JavaScript.  Adobe has recently updated Flash to prevent this attack method.

But what does this mean for financial institutions with a community of LICUCs?  TrustCC has preached for years that security awareness training is the best dollar for dollar value in improving the security of your organization.  As a matter of fact, for years we’ve been offering free security awareness training to financial institution clients and prospects.

Security awareness training is effective at combating many forms of web attack.  For example, teaching a user to use alt-f4 to close a dialogue box/pop-up prevents them from unwittingly clicking a “close” button that could have been programmed by a coder to install malicious code.  A common form of attack that seems to get my LICUC daughter is the pop up claiming that her computer’s security software needs an update.  The pop up says “Click Here to Update” or “Click Here to Close” and either click will install the malicious code or spyware.  (For some, including my wonderful 19 year old daughter, no amount of “security awareness” training will resolve the issue… ;))

So what do we recommend for Banks and Credit Unions facing ClickJacking?  Diligence in your software updating processes, your anti-virus/anti-spyware updates, and your security awareness training.  Get to it!

– TrustCC

Bonus LICUC Awareness Training Content ———————————-

  • Never deliberately download software to your workstation or desktop from the Internet, no matter how helpful or interesting it may appear. Even innocuous toolbars and nifty utilities can be packed with unwanted spyware. Be especially wary of file-sharing programs, which you shouldn’t be using in the office anyways.
  • Stay away from any questionable sites, including pornography, gambling, hacking or other off-beat sites. But you shouldn’t be, in any case, visiting these types of sites at work either. At most companies, you could be terminated for doing so.
  • Whenever an unwanted or unexpected pop-window appears, shut it down immediately by clicking on the “x” in the upper right hand corner of the window. Never click on any button, even if it says “Cancel” or “Close” on the window itself. These buttons can masquerade as innocent features that inadvertently start an unwanted download of spyware.
  • Be suspicious if endless pop-up windows start opening simultaneously, or if the performance of your workstation turns into a crawl. Assume that you’ve been hit by spyware and seek assistance from the Help Desk.
  • If you’re using Internet Explorer as your browser, change its settings to block ActiveX objects. Go to Tools > Internet Options > Security > Custom Level. There is a section near the top of the dialogue box devoted to ActiveX controls. At the very least, disable downloading of both signed and unsigned ActiveX controls and those marked as unsafe. Some ActiveX objects are spyware. This will block them.
  • If you’re workstation is running Windows XP SP2, then turn on the pop-up blocker feature in Internet Explorer and activate the firewall now bundled as part of SP2. The pop-up blocker is listed under Tools in Internet Explorer’s menu bar and the firewall can be turned on from the Windows Firewall icon in Control Panel. These actions won’t stop spyware altogether, but they can help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: