You click, I steal: analyzing and detecting click hijacking attacks in web pages

Abstract

Click Hijacking (clickjacking) is emerging as a web-based threat on the Internet. The prime objective of clickjacking is stealing user clicks. An attacker can carry out a clickjacking attack by tricking the victim into clicking an element that is barely visible or completely hidden. By stealing the victim’s clicks, an attacker could entice the victim to perform an unintended action from which the attacker can benefit. These actions include online money transactions, sharing malicious website links, initiate social networking links, etc. This paper presents an anatomy of advanced clickjacking attacks not yet reported in the literature. In particular, we propose new class of clickjacking attacks that employ SVG filters and create various effects with SVG filters. We demonstrate that current defense techniques are ineffective to deal with these sophisticated clickjacking attacks. Furthermore, we develop a novel detection method for such attacks based on the behavior (response) of a website active content against the user clicks (request). In our experiments, we found that our method can detect advanced Scalable Vector Graphics (SVG)-based attacks where most of the contemporary tools fail. We explore and utilize various common and distinguishing characteristics of malicious and legitimate web pages to build a behavioral model based on Finite State Automaton. We evaluate our proposal with a sample set of 78,000 web pages from various sources, and 1000 web pages known to involve clickjacking. Our results demonstrate that the proposed solution enjoys good accuracy and a negligible percentage of false positives (i.e., 0.28%), and zero false negatives in distinguishing clickjacking and legitimate websites.