Republic of the Philippines NATIONAL POLICE COMMISSION PHILIPPINE NATIONAL POLICE ANTI-CYBERCRIME GROUP Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 207
ACG-CSB 051221207
Reference Number ACG-CSB 051221207
CLICKJACKING/FACEBOOK FAKE LINK SCAM
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
SUMMARY
The Clickjacking attack method works by loading the target website inside a low opacity iframe and overlaying it with an innocuous looking button or link. This then tricks the user into interacting with the vulnerable website beneath by forcing the user to click the apparently safe UI element, triggering a set of actions on the embedded, vulnerable website.
This type of attack was ignored until 2008, when the inventors of the attack, Jeremiah Grossman and Robert Hansen, acquired authorization on a victim’s computer through Adobe Flash by using a Clickjacking attack. Grossman originally named this attack by combining the words 'click' and 'hijacking'. The name 'Clickjacking' passed through different categorizations and name changes since. For example, the attack in which an attacker collected likes for his own post using the Clickjacking method was later known as 'Like Hijacking'.
Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.
The invisible page could be a malicious page, or a legitimate page the user did not intend to visit – for example, a page on the user’s banking site that authorizes the transfer of money.
RECOMMENDATION
All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of CLICKJACKING/FAKE LINK SCAM:
• Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats. • Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats. • Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password. • Protect your data by backing it up. Back up your data and make sure those backups aren’t connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.
For additional information, please refer to the following websites:
• https://www.netsparker.com/blog/web-security/clickjacking-attack-on- facebook-how-tiny-attribute-save-corporation/ • https://www.imperva.com/learn/application-security/clickjacking/ • https://auth0.com/blog/preventing-clickjacking-attacks/ • https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing- scams
POINT OF CONTACT
Please contact PCPT MARK GERALD ALGUNAS NORBE, Public Community Relation Officer thru e-mail address [email protected] or contact us on telephone number (632)7230401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.