The so-called double-clickjacking cyber scam has been gaining the attention of security experts since the beginning of the year. In short, this new attack exploits the double-click action on a mouse. By doing this, attackers can bypass security mechanisms in the interfaces of the web pages you visit, potentially affecting millions of users worldwide.
In this post, we break down how this cyber scam works and provide guidance on how both users and companies can prevent it.
Understanding Double-Clickjacking Attacks
Double-clickjacking attacks are a more advanced version of clickjacking attacks. In a clickjacking attack, cybercriminals compromise a legitimate website and insert hidden buttons and links within its interface. When users click on these, they’re taken to a malicious site designed to deceive them.
Double-clickjacking works similarly but involves two steps. Attackers insert a malicious element between the first and second clicks to execute unwanted actions. Essentially, cybercriminals add a harmful button, prompting you to double-click. After the first click, a new malicious element is added to trick you into clicking again.
For instance, you might encounter a deceptive captcha or confirmation button on a website. The first click could close an invisible window, making it seem like nothing has happened. However, your second click would then execute an unwanted action in the background.
Cybercriminals have successfully carried out this type of attack on well-known platforms such as Slack, Shopify, and Salesforce. Attackers can manipulate critical security settings on your account, obtain API permissions, and even authorize payments and bank transfers to steal money or make purchases in your name.
The major risk of double-clickjacking is that it’s challenging for users to detect. Since the attack can occur on legitimate sites, users don’t have to be redirected to a fake website. Moreover, it requires minimal interaction–just a simple double-click is enough.
Additionally, it’s a relatively new type of attack, which means current web browsers lack robust defenses against it. Existing protections are primarily designed for single-click actions and don’t account for actions triggered by a second click.
How to Avoid a Double-Clickjacking Attack
The most effective way to protect yourself as a user is to keep your computer and browser up to date. When engineers discover vulnerabilities, they typically address them in updates. Regularly updating your operating system and browser reduces your risk of exposure to these known vulnerabilities.
In addition, you should be alert for any suspicious signs on websites. This includes unexpected pop-up windows, buttons that prompt you to double-click, and unusual captchas that look different from what you’re used to. These can be indicators of potential attacks.
It’s also a good practice to avoid clicking hastily on newly opened windows. Read any confirmation messages carefully, and refrain from double-clicking on buttons that only require a single click.
For their part, developers and companies managing websites should implement protection measures in user interfaces. These can include disabling critical buttons until users perform deliberate actions, adding security scripts, and promoting compliance with security standards in browsers.
Image | Shagal Sajid
View 0 comments