DOCSLIB.ORG

A Solution for the Automated Detection of Clickjacking Attacks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Solution for the Automated Detection of Clickjacking Attacks A Solution for the Automated Detection of Clickjacking Attacks Marco Balduzzi Manuel Egele Institute Eurecom Technical University Vienna Sophia-Antipolis [email protected] [email protected] Engin Kirda Davide Balzarotti Christopher Kruegel Institute Eurecom Institute Eurecom University of California Sophia-Antipolis Sophia-Antipolis Santa Barbara [email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION Clickjacking is a web-based attack that has recently received Web applications have evolved from simple collections of a wide media coverage. In a clickjacking attack, a malicious static HTML documents to complex, full-fledged applica- page is constructed such that it tricks victims into clicking tions containing hundreds of dynamically generated pages. on an element of a different page that is only barely (or not The combined use of client and server-side scripting allows at all) visible. By stealing the victim’s clicks, an attacker developers to provide highly sophisticated user interfaces could force the user to perform an unintended action that is with the look-and-feel and functionalities that were previ- advantageous for the attacker (e.g., initiate an online money ously only reserved to traditional desktop applications. At transaction). Although clickjacking has been the subject the same time, many web applications have evolved into of many discussions and alarming reports, it is currently mesh-ups and aggregation sites that are dynamically con- unclear to what extent clickjacking is being used by attackers structed by combining together content and functionalities in the wild, and how significant the attack is for the security provided by different sources. This rapid evolution, com- of Internet users. bined with the increasing amount of sensitive information In this paper, we propose a novel solution for the auto- that is now accessible through the web, has brought a corre- mated and efficient detection of clickjacking attacks. We sponding increase in the number and sophistication of web- describe the system that we designed, implemented and de- based attacks and vulnerabilities. ployed to analyze over a million unique web pages. The The same origin policy, first introduced in Netscape Nav- experiments show that our approach is feasible in practice. igator 2.0 [31], is still the keystone around which the entire Also, the empirical study that we conducted on a large num- security of cross-domain applications is built. The main idea ber of popular websites suggests that clickjacking has not yet is to implement a set of mechanisms in the browser that been largely adopted by attackers on the Internet. enforce a strict separation between different sources. This separation is achieved by preventing the interaction between pages that are from different origins (where the origin of a Categories and Subject Descriptors page is usually defined as a combination of the domain name, K.6.5 [Management of Computing and Information the application layer protocol, and the TCP port number). Systems]: Security and Protection The same origin policy, hence, can guarantee that cookies and JavaScript code from different websites can safely co- exist in the user’s browser. General Terms Unfortunately, attackers, often driven by a flourishing un- Security, Design, Experimentation derground economy, are constantly looking for exceptions, browser bugs, or corner cases to circumvent the same origin checks with the aim of stealing or modifying sensitive user Keywords information. One of these techniques, previously known as Clickjacking, Web Security, ClickIDS, HTML IFRAME, CSS, UI Redress [40], has recently gained increasing attention un- Javascript, Browser Plug-In der the new, appealing name of clickjacking. Since Robert Hansen and Jeremiah Grossman announced a talk on the topic at OWASP AppSec 2008 [20], there has been a flood of news, discussions, and demonstrations on clickjacking. Permission to make digital or hard copies of all or part of this work for The idea behind a clickjacking attack is simple: A mali- personal or classroom use is granted without fee provided that copies are cious page is constructed such that it tricks users into click- not made or distributed for profit or commercial advantage and that copies ing on an element of a different page that is only barely, or bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific not at all noticeable. Thus, the victim’s click causes uninten- permission and/or a fee. tional actions in the context of a legitimate website. Since ASIACCS’10 April 13–16, 2010, Beijing, China. it is the victim who actually, but unknowingly, clicks on the Copyright 2010 ACM 978-1-60558-936-7 ...$10.00. element of the legitimate page, the action looks “safe” from of a page, while her intention is to interact with the con- the browser’s point of view; that is, the same origin policy tent of a different site. That is, even though the victim is is not violated. under the impression of clicking on a seemingly harmless Clickjacking attacks have been reported to be usable in page, she is actually clicking on an element of the attacker’s practice to trick users into initiating money transfers, click- choice. The typical scenario, as described by Grossman and ing on banner ads that are part of an advertising click fraud, Hansen [16], involves two different websites: A target site posting blog or forum messages, or, in general, to perform T , and a malicious site M. any action that can be triggered by a mouse click. T is a website accessible to the victim and important for Beside several proof-of-concept clickjacking examples that the attacker. Such sites include, for example, online-banking have been posted on security-related blogs, it is not clear to portals, auction sites, and web mail services. The goal of the what extent clickjacking is used by attackers in practice. attacker is to lure the victim into unsuspectingly clicking on To the best of our knowledge, there has only been a single, elements of the target page T . large-scale real-world clickjacking attack, where the attack M, on the other hand, is under control of the attacker. was used to spread a message on the Twitter network [24]. Commonly, this page is created in a way so that a trans- We describe this attack in more detail in Section 2. parent IFRAME containing T overlays the content of M. In this paper, we present a novel approach to detect click- Since the victim is not aware of the invisible IFRAME, by jacking attempts. By using a real browser, we designed and correctly aligning T over M, an attacker can lure the victim developed an automated system that is able to analyze web into clicking elements in T , while she is under the impres- pages for clickjacking attacks. We conducted an empirical sion of clicking on M. A successful clickjacking attack, for study on over one million unique Internet web pages. The example, might result in the victim deleting all messages experiments we conducted show that our system works well from her web mail inbox, or generating artificial clicks on in practice. advertisement banners. Our solution can be adopted by security experts to au- Figure 1 shows a real-world clickjacking attack that has tomatically test a large number of websites for clickjacking. been used to propagate a message among Twitter users [24]. Moreover, the clickjacking plug-in we developed can be in- In this attack, the malicious page embeds Twitter.com on a tegrated into a standard browser configuration in order to transparent IFRAME. The status-message field is initialized protect normal users from clickjacking during their daily In- with the URL of the malicious page itself. To provoke the ternet use. click, which is necessary to publish the entry, the malicious To the best of our knowledge, we are the first to conduct a page displays a button labeled “Don’t Click.” This button is large-scale study of the clickjacking problem, and to propose aligned with the invisible “Update” button of Twitter. Once a novel system for the automated testing, and detection of the user performs the click, the status message (i.e., a link the attack. Our paper provides a first insight into the cur- to the malicious page itself) is posted to her Twitter profile. rent prevalence of clickjacking attempts on the Internet. While clickjacking attacks can be performed in plain HTML, the use of JavaScript can be used to create more The main contributions of this paper are as follows: sophisticated attacks. For instance, JavaScript allows the attacker to dynamically align the framed content with the • We present our automated approach to detect click- jacking attacks. user’s mouse cursor, thus making it possible to perform at- tacks that require multiple clicks. • We describe the ClickIDS browser plug-in we devel- Note that manipulating the frame’s opacity level (e.g., oped, and the system we deployed to analyze more making it transparent) is not the only way to mount a click- than a million unique Internet web pages. jacking attack. A click can also be “stolen” by covering the frame containing the victim page with opaque elements, and • We present a first, large-scale attempt to estimate the then leaving a small hole aligned with the target element on prevalence of clickjacking attacks on the Internet. the underlying page. Another possible approach consists of resizing and/or moving the IFRAME in front of the mouse • We assess to what extent clickjacking defense tech- just before the user performs a click. niques have been adopted by examining thousands of Unlike other common web vulnerabilities such as cross- popular websites.
Load more

Recommended publications
  • IYIR for HTML
    INFOSEC UPDATE 2006 Student Workbook Norwich University June 19-20, 2006 M. E. Kabay, PhD, CISSP-ISSMP Assoc. Prof. Information Assurance Program Director, MSIA BSIA Division of Business Management Norwich University [email protected] Copyright © 2006 M. E. Kabay. All rights reserved. Page 1 INFOSEC UPDATE 2006 -- June 19-20, 2006 01 Introduction Category 01 Introduction 2006-06-12 Introduction M. E. Kabay, PhD, CISSP WELCOME Welcome to the 2005 edition of the Information Security Year in Review (IYIR) project. In 1993 and 1994, I was an adjunct professor in the Institute for Government Informatics Professionals in Ottawa, Canada under the aegis of the University of Ottawa. I taught a one-semester course introducting information security to government personnel and enjoyed the experience immensely. Many of the chapters of my 1996 textbook, _The NCSA Guide to Enterprise Security_ published by McGraw-Hill were field-tested by my students. In 1995, I was asked if I could run a seminar for graduates of my courses to bring them up to date on developments across the entire field of information security. Our course had twenty students and I so enjoyed it that I continued to develop the material and teach the course with the NCSA (National Computer Security Association; later called ICSA and then eventually renamed TruSecure Corporation and finally CyberTrust, its current name) all over the United States, Canada, Europe, Asia and the Caribbean. After a few years of working on this project, it became obvious that saving abstracts in a WordPerfect file was not going to cut it as an orderly method for organizing the increasing mass of information that I was encountering in my research.
    [Show full text]
  • Phishing Brochure
    hereʼs a new type of Internet Here’s how phishing works: How to Protect Yourself piracy called “phishing.” Itʼs n a typical case, youʼll receive an e-mail that Never provide your personal pronounced “fishing,” and appears to come from a reputable company information in response to an Tthatʼs exactly what these thieves are that you recognize and do business with, unsolicited request, whether it is over the Isuch as your financial institution. In some 1phone or over the Internet. E-mails and Internet doing: “fishing” for your personal cases, the e-mail may appear to come from a pages created by phishers may look exactly financial information. What government agency, including one of the federal like the real thing. They may even have a fake financial institution regulatory agencies. padlock icon that ordinarily is used to denote they want are account numbers, The e-mail will probably warn you of a serious a secure site. If you did not initiate the passwords, Social Security problem that requires your immediate attention. communication, you should not provide any numbers, and other confidential It may use phrases, such as “Immediate attention information. information that they can use to loot required,” or “Please contact us immediately If you believe the contact may be about your account.” The e-mail will then legitimate, contact the financial your checking account or run up encourage you to click on a button to go to the institution yourself. You can find bills on your credit cards. institutionʼs Web site. 2phone numbers and Web sites on the monthly statements you receive from your financial In a phishing scam, you could be redirected In the worst case, you could find institution, or you can look the company up in to a phony Web site that may look exactly a phone book or on the Internet.
    [Show full text]
  • Copy of OC Awareness Campaign #5
    DDOONN‘‘TT GGEETT CCAAUUGGHHTT IINN AA TTEECCHH SSUUPPPPOORRTT SSCCAAMM!! HOW DO TECH SUPPORT SCAMS WORK? Tech support scammers may call you, enlist pop-up ads on your computer, or place ads for their "tech support company" to look credible and attempt a scam. They often gain control of your computer by asking you to give them remote access to your computer. Once they gain access, the scammer may pretend to run a diagnostic test of your computer. In reality, they are downloading malware, or other viruses, downloading sensitive information that was stored on your computer, or locking you out of your computer by downloading ransomware. WHAT'S IN IT FOR THE SCAMMER? Obtain sensitive information Find credit card information Ask you to pay to fix an issue that doesn't exist with a wire transfer, gift card, or credit card. Though some will ask you for credit card information, the scammer often asks you to pay by wiring money, putting money on a gift card, prepaid card or cash reload card, or using a money transfer app because they know those types of payments can be hard to reverse. SPOTTING AND AVOIDING TECH SUPPORT SCAMS Tech support scammers use many different tactics to trick people. Spotting these tactics will help you avoid falling for the scam. Phone Calls (Vishing) Tech support scammers may call and pretend to be a computer technician from a well-known company. They say they’ve found a problem with your computer. They often ask you to give them remote access to your computer and then pretend to run a diagnostic test.
    [Show full text]
  • Phishing Attacks Or to Give Sensitive Information Away (Such As Bank Details)
    Phishing emails try to convince users to click on links to dodgy websites or attachments, Phishing attacks or to give sensitive information away (such as bank details). This advice includes tips about how to spot the most obvious signs of phishing, and what to do if you think you've Dealing with suspicious emails clicked a bad link. For more information, please visit www.ncsc.gov.uk/phishing . Make yourself a Tell tale signs harder target of phishing ***** Information from your website or Spotting a phishing email is social media accounts leaves a becoming increasingly difficult, and 'digital footprint' that can be even the most careful user can be exploited by criminals. You can make yourself tricked. Here are some tell tale signs less likely to be phished by doing the following: that could indicate a phishing attempt. Criminals use publicly available ? Is the email addressed to you by information about you to make their name, or does it refer to 'valued phishing emails appear convincing. customer', or 'friend' or 'colleague'? Review your privacy settings, and think This can be a sign that the sender about what you post. does not actually know you, and that it What is phishing? Be aware what your friends, family and is part of a phishing scam. colleagues say about you online, as Others will try and create official- Phishing is when criminals attempt to this can also reveal information that can be used to target you. looking emails by including logos and trick people into doing 'the wrong thing', graphics. Is the design (and quality) such as clicking a link to a dodgy website.
    [Show full text]
  • Clickjacking
    Security Now! Transcript of Episode #168 Page 1 of 18 Transcript of Episode #168 ClickJacking Description: Steve and Leo discuss yet another challenge to surfing safely in the web world: Known as "ClickJacking," or more formally as "UI Redressing," this class of newly popular threats tricks web users into performing web-based actions they don't intend by leading them to believe they are doing something else entirely. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-168.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-168-lq.mp3 INTRO: Netcasts you love, from people you trust. This is TWiT. Leo Laporte: Bandwidth for Security Now! is provided by AOL Radio at AOL.com/podcasting. This is Security Now! with Steve Gibson, Episode 168 for October 30, 2008: Clickjacking. It's time for Security Now!, the show where we cover everything you'd ever want to know about security. And we do it with a guy who is the king, really, as far as I'm concerned, the man who discovered spyware, named spyware, wrote some of the most used security utilities out there, including ShieldsUP!, Mr. Steve Gibson of GRC.com. Hi, Steve. Steve Gibson: Yes, in fact sometimes we're discussing things that you'd rather wish weren't the case. I mean... Leo: Well, lately it's been kind of bleak because it's like, there's bad stuff, and there doesn't really seem like there's any cure. Steve: Yes, that's true.
    [Show full text]
  • Beware of These Common Scams
    Beware of these common scams Nigerian Scams People claiming to be officials, businessmen or surviving relatives of former government officials in countries around the world send countless offers via e-mail, attempting to convince consumers that they will transfer thousands of dollars into your bank account if you will just pay a fee or "taxes" to help them access their money. If you respond to the initial offer, you may receive documents that look "official." Unfortunately, you will get more e-mails asking you to send more money to cover transaction and transfer costs, attorney's fees, blank letterhead and your bank account numbers and other sensitive, personal information. Tech Support Scams A tech support person may call or email you and claim that they are from Windows, Microsoft or another software company. The person says your computer is running slow or has a virus and it’s sending out error messages. Scammers will ask you to visit a website that gives them remote access to your computer. If the caller obtains access they can steal personal information, usernames and passwords to commit identity theft or send spam messages. In some cases, the caller may even be asked for a wired payment or credit card information. Lottery Scams In foreign lottery scams, you receive an email claiming that you are the winner of a foreign lottery. All you need to do to claim your prize is send money to pay the taxes, insurance, or processing or customs fees. Sometimes, you will be asked to provide a bank account number so the funds can be deposited.
    [Show full text]
  • SECURITY GUIDE with Internet Use on the Rise, Cybercrime Is Big Business
    SECURITY GUIDE With internet use on the rise, cybercrime is big business. Computer savvy hackers and opportunistic spammers are constantly trying to steal or scam money from internet users. PayPal works hard to keep your information secure. We have lots of security measures in place that help protect your personal and financial information. PayPal security key Encryption This provides extra security when When you communicate with Here’s you log in to PayPal and eBay. When PayPal online or on your mobile, how to get you opt for a mobile security key, the information you provide is we’ll SMS you a random 6 digit encrypted. This means it can only a security key code to enter with your password be read by you. A padlock symbol when you log in to your accounts. is displayed on the right side of your 1. Log in to your PayPal You can also buy a credit card sized web browser to let you know you account at device that will generate this code. are viewing a secure web page. www.paypal.com.au Visit our website and click Security to learn more. Automatic timeout period 2. Click Profile then If you’re logged into PayPal and My settings. Website identity verification there’s been no activity for 15 3. Click Get started beside If your web browser supports an minutes, we’ll log you out to help “Security key.” Extended Validation Certificate, the stop anyone from accessing your address bar will turn green when information or transferring funds 4. Click Get security key you’re on PayPal’s site.
    [Show full text]
  • A Semi-Automated Security Advisory System to Resist Cyber-Attack in Social Networks
    A Semi-Automated Security Advisory System to Resist Cyber-attack in Social Networks Samar Muslah Albladi and George R S Weir University of Strathclyde, Glasgow G1 1XH, UK {samar.albladi; george.weir}@strath.ac.uk Abstract. Social networking sites often witness various types of social engi- neering (SE) attacks. Yet, limited research has addressed the most severe types of social engineering in social networks (SNs). The present study in- vestigates the extent to which people respond differently to different types of attack in a social network context and how we can segment users based on their vulnerability. In turn, this leads to the prospect of a personalised security advisory system. 316 participants have completed an online-ques- tionnaire that includes a scenario-based experiment. The study result re- veals that people respond to cyber-attacks differently based on their de- mographics. Furthermore, people’s competence, social network experience, and their limited connections with strangers in social networks can decrease their likelihood of falling victim to some types of attacks more than others. Keywords: Advisory System, Social Engineering, Social Networks. 1 Introduction Individuals and organisations are becoming increasingly dependent on working with computers, accessing the World Wide Web and, more importantly, sharing data through virtual communication. This makes cyber-security one of today’s greatest issues. Pro- tecting people and organisations from being targeted by cybercriminals is becoming a priority for industry and academia [1]. This is due to the huge potential damage that could be associated with losing valuable data and documents in such attacks. Previous research focuses on identifying factors that influence people’s vulnerability to cyber-attack [2] as the human has been characterised as the weakest link in infor- mation security research.
    [Show full text]
  • Financial Fraud and Internet Banking: Threats and Countermeasures
    Report Financial Fraud and Internet Banking: Threats and Countermeasures By François Paget, McAfee® Avert® Labs Report Financial Fraud and Internet Banking: Threats and Countermeasures Table of Contents Some Figures 3 U.S. Federal Trade Commission Statistics 3 CyberSource 4 Internet Crime Complaint Center 4 In Europe 5 The Many Faces of Fraud 6 Small- and large-scale identity theft 7 Carding and skimming 8 Phishing and pharming 8 Crimeware 9 Money laundering 10 Mules 10 Virtual casinos 11 Pump and dump 12 Nigerian advance fee fraud (419 fraud) 12 Auctions 14 Online shopping 16 Anonymous payment methods 17 Protective Measures 18 Scoring 18 Europay, MasterCard, and Visa (EMV) standard 18 PCI-DSS 19 Secure Sockets Layer (SSL) and Transport Secured Layer (TLS) protocols 19 SSL extended validation 20 3-D Secure technology 21 Strong authentication and one-time password devices 22 Knowledge-based authentication 23 Email authentication 23 Conclusion 24 About McAfee, Inc. 26 Report Financial Fraud and Internet Banking: Threats and Countermeasures Financial fraud has many faces. Whether it involves swindling, debit or credit card fraud, real estate fraud, drug trafficking, identity theft, deceptive telemarketing, or money laundering, the goal of cybercriminals is to make as much money as possible within a short time and to do so inconspicuously. This paper will introduce you to an array of threats facing banks and their customers. It includes some statistics and descriptions of solutions that should give readers—whether they are responsible for security in a financial organization or a customer—an overview of the current situation. Some Figures U.S.
    [Show full text]
  • Click Fraud,' Personal, Non-Commercial Use Only
    April 6, 2005 PAGE ONE Traffic Jam DOW JONES REPRINTS This copy is for your In 'Click Fraud,' personal, non-commercial use only. To order presentation-ready copies Web Outfits Have for distribution to your colleagues, clients or customers, use the Order A Costly Problem Reprints tool at the bottom of any article or visit: www.djreprints.com. Marketers Worry About Bills Inflated by People Gaming • See a sample reprint in PDF format . The Search-Ad System • Order a reprint of this article now. Mr. McKelvey Turns Detective RELATED ARTICLE By KEVIN J. DELANEY • Internet Firms Face Legal Test on Staff Reporter of THE WALL STREET JOURNAL Advertising Fees3 April 6, 2005; Page A1 Nathan McKelvey began to worry about foul play when Yahoo Inc. refunded him $69.28 early last year. He grew more suspicious when a $16.91 refund arrived from Google Inc. The refunds were for "unusual clicks" and "invalid click activity" and they suggested someone was sabotaging Mr. McKelvey's advertising strategy. He pitches his charter-jet brokerage the way companies increasingly do: contracting with Yahoo and Google to serve up small text ads to anyone searching the Web using certain words, such as "private jet" or "air charter." He pays the search companies a fee every time someone clicks on his ads. But Yahoo and Google determined someone was clicking on CharterAuction.com Inc.'s ads with no intention of doing business, thus unfairly driving up the company's advertising costs. Mr. McKelvey, turning detective, combed through lists of "IP" addresses, the identifying codes supplied by computers when they access Web sites.
    [Show full text]
  • Phishing: Crime That Pays
    1 Phishing: Crime That Pays Philip J. Nero, Brad Wardman, Heith Copes, Gary Warner University of Alabama at Birmingham Abstract—Email phishing requires functional The 2010 Javelin Strategy Identity Theft & Fraud countermeasures, as does any crime that results in Survey shows that there were an estimated 11.1 million millions of dollars in yearly losses. Many financial victims of identity theft and/or fraud in 2009 (Javelin, institutions currently combat phishing by contracting 2010). These victims lost over 54 billion dollars. A large takedown companies that remove relevant phishing percentage of these victims were victims of cyber-based websites as soon as possible after they are detected. By criminal activity. According to a recent Gartner Research comparing the median time necessary for professionals to study, 3.6 million American consumers lost money to take a phishing website down to the average time it takes phishing scams in 2007 (Gartner, 2007). Each phishing for a phishing website to turn a profit for its creator, I victim lost an average of $361. Therein, the approximate have demonstrated the overall effectiveness of the financial loss to phishing in the United States in 2008 takedown process. On average, takedown companies fail was nearly $2 billion. These studies also show that to eradicate phishing websites before their creators financial institutions accrue $1 billion in losses from garner valuable information from multiple victims. phishing every year. The above statistics demonstrate Furthermore, forensic evidence that could lead to the serious criminal activity, but the real problem is that the arrest of the cybercriminals responsible for the phishing vast majority of phishers go unpunished.
    [Show full text]
  • Clickjacking: Attacks and Defenses
    Clickjacking: Attacks and Defenses Lin-Shung Huang Alex Moshchuk Helen J. Wang Carnegie Mellon University Microsoft Research Microsoft Research [email protected] [email protected] [email protected] Stuart Schechter Collin Jackson Microsoft Research Carnegie Mellon University [email protected] [email protected] Abstract such as a “claim your free iPad” button. Hence, when Clickjacking attacks are an emerging threat on the web. the user “claims” a free iPad, a story appears in the user’s In this paper, we design new clickjacking attack variants Facebook friends’ news feed stating that she “likes” the using existing techniques and demonstrate that existing attacker web site. For ease of exposition, our description clickjacking defenses are insufficient. Our attacks show will be in the context of web browsers. Nevertheless, the that clickjacking can cause severe damages, including concepts and techniques described are generally applica- compromising a user’s private webcam, email or other ble to all client operating systems where display is shared private data, and web surfing anonymity. by mutually distrusting principals. We observe the root cause of clickjacking is that an Several clickjacking defenses have been proposed and attacker application presents a sensitive UI element of a deployed for web browsers, but all have shortcomings. target application out of context to a user (such as hiding Today’s most widely deployed defenses rely on frame- the sensitive UI by making it transparent), and hence the busting [21, 37], which disallows a sensitive page from user is tricked to act out of context. To address this root being framed (i.e., embedded within another web page).
    [Show full text]