Click. You've been jacked.
An innocent mouse click on your part, which you thought would play a video or answer a survey question or close a dialog box, instead is hijacked through malicious Web coding to do something completely different without your knowledge.
The Webcam on your computer is turned on and a live stream of your doings is sent to someone else. Or maybe you tell all your Facebook friends that you like a video or that a particular Web site is funny. Only you didn't, it's the clickjacking that did.
“Clickjacking” hits hundreds of thousands of victims each year, not just in San Diego and throughout America, but from Italy to Japan; it's common anywhere there's social networking, and these days that's anywhere.
Luckily, most of the exploits arising from clickjacking are more annoying than dangerous. Unluckily, it's difficult to tell when you have been a victim of it and technically hard to fight. And the folks in the best position to warn you about it don't seem to want the bad publicity.
The most common variation on the clickjack uses Facebook, and is dubbed “Likejacking.” It takes advantage of coding that Facebook made available a couple of years ago which allows any Web page to have a Facebook “Like” button. The button, if clicked by a Facebook user, enables Facebook to tell all the user's friends that he or she is a fan of the Web page.
So if I am Likejacked, a link will be posted on Facebook under my name that might read, “Jeff likes 'The Prom Dress That Got This Girl Suspended From School.' ” Friends, who trust me only to post something decent and funny, then click the link, which takes them to the Web page where they in turn are Likejacked.
And so the link spreads on Facebook like a virus, sending first dozens, then hundreds, then thousands of people to the Web page. And maybe there's an advertisement on that page that pays a tiny amount per user impression; but when there are thousands of people exposed to the ad the Web page owner collects an easy profit.
Clickjacking, technically known as a “user interface redress attack,” takes advantage of advances in coding that allow Web pages to appear in layers. An example is when you see an advertisement move and appear to float over a page, then recede.
That same coding allows hackers to place an invisible button layer, for example an invisible oversize Facebook Like button, over what appears to be a video you want to play on the page. You believe you are clicking on the video, but you actually are clicking the invisible button over the video, and all your friends back on Facebook are told how much you like the video even though you never saw it.
A potentially more invasive clickjacking exploit can occur when your mouse click activates the Adobe Flash Player on your computer to turn on your Webcam and microphone and stream the video elsewhere. Simply tightening the security settings on the Flash Player can prevent this, however, and if your player is up to date the settings now prevent it by default.
Fighting off more common schemes such as Likejacking is far more difficult. One reason Likejacking has been so successful is because it takes advantage of our innate trust for our friends.
Technical fixes, too, run the danger of disabling desirable Web features and must be implemented specifically to each browser. The most successful, the NoScript extension for the Firefox browser, still requires some technical knowledge and interest to implement.
One of the best defenses, then, is to be vigilant. Would your friend really recommend, “This man takes a picture of himself EVERYDAY for 8 YEARS!!”? If you suspect you've been Likejacked, check your profile page on Facebook to see if there's a post there you didn't know about.
If there is, hover your mouse over the post and an “X” button will appear to the right. Click on that and either simply delete the post or, better, choose “Report as Spam.” Doing so will return your mouse to the right side in the fight of good over evil.
Until recently, Facebook had done precious little to fight Likejacking. Little information on clickjacking is available in the Web site's Help Center, and not a single public-information campaign has appeared, even though Likejacking has been a continuing problem.
Late last month, Facebook changed the way Like buttons work so that a second window pops up when the button is clicked, and that window requires users to confirm they want to allow Facebook to tell their friends they like the page. As long as hackers don't find a way around it, Likejacking might become far less pervasive. Only time will tell.