Click Hijacking

Click hijacking is one of the most common forms of attribution fraud, but it’s also one of the easiest to spot. When a fake click—sometimes generated by bots—is delivered to an attribution system after the installation has already begun, this is known as click hijacking. As the last click received, it confuses attribution tools into attributing that install to the false click. It is a malicious practice used by attackers to redirect users from a legitimate website to a malicious one. This can be done through a variety of methods, such as injecting malicious code into a website, using invisible iframes, or exploiting vulnerabilities in advertising networks.

Once a user clicks on a seemingly legitimate link, they are unknowingly redirected to a malicious website. This website may look like a trusted site, such as a bank or social media login page. The attacker’s goal is to trick the user into entering their personal information, such as their username, password, or credit card details.

Click hijacking can also be used to install malware on a user’s device. When a user clicks on a malicious link, they may be redirected to a website that exploits vulnerabilities in their web browser or operating system. This can allow the attacker to install malware on the user’s device without their knowledge or consent.

What Does a Click Hijacking Attack Look Like?

• You’re scrolling through a travel blog, mesmerized by pictures of a hidden beach paradise. Suddenly, a “Book Now!” button pops up right where you want to click for more photos. Click! Instead of the expected outcome, you find yourself on a shady website collecting your credit card details for a “luxury resort” that doesn’t exist. Scenarios like this are more common than most users realize—studies show that nearly half of all ad clicks can be fraudulent or invalid in certain digital environments, often driven by deceptive techniques such as click hijacking.
• You’re eagerly waiting for the sale to start on your favorite clothing store’s app. A giant “50% OFF” banner appears, practically begging you to tap. Tap! Except, it wasn’t the banner you clicked. An invisible layer underneath, designed by a sneaky hacker, redirects you to a fake website selling knock-off clothes at full price. 
• You receive an email with a subject line promising “Free Tickets to the Hottest Music Festival!” Excited, you click the “Claim Now” button. Click! But instead of concert tickets, a seemingly harmless pop-up appears asking you to “like and share” the offer. Like? Share? Little do you know, the pop-up is actually a cleverly hidden “like” button for a malicious app that silently collects your data in the background. 

Different Faces, Different Troubles: Types of Click Hijacking Attacks

• The Classic Invisible Overlay
  Imagine a museum exhibit. You see a captivating painting, but a pesky glare from the security glass obscures the details. Clickjacking’s “invisible overlay” works similarly. Hackers create a transparent layer on a legitimate website. This layer sits on top of real buttons and links, like a mischievous child hiding behind a lamppost. As you click what appears to be a harmless button, you’re whisked away to a malicious website designed to steal your information.
• The Likejacking Lullaby
  Ever see a post promising “1000 Likes for Free!” and feel a primal urge to click? Hold your horses. This is “likejacking” at play. Hackers mimic social media buttons so that a single tap spreads malicious content or boosts fraudulent engagement. Social platforms remain prime targets—phishing and social engineering attacks now account for over 70% of successful cyber incidents, largely because they exploit trust and habitual clicking behavior.
• The Phishing Phantom
  Imagine a chameleon blending into its surroundings. The “phishing phantom” operates in a similar fashion. Hackers create fake login pages that look identical to those of legitimate websites, like your bank or email provider. You click on a seemingly familiar link and enter your login details. Poof! Your information is now in the hands of a cybercriminal.
• The Cursor Captor
  Ever feel like your mouse has a mind of its own, mysteriously clicking on things you didn’t intend to? This could be the work of a “cursor captor.” Hackers use malicious scripts to manipulate your mouse cursor, leading you to click on hidden links or download malware without your knowledge. Keep an eye on your cursor’s movements, and trust your gut if something feels off.
• The Download Disguise
  Picture this: you click on a seemingly harmless download button. But instead of the promised software, you end up downloading malware that wreaks havoc on your device. This is the “download disguise” at work. Hackers often cloak malicious software behind enticing download buttons, tricking users into unknowingly installing harmful programs.

Top Methods to Prevent Click Hijacking Attacks 

For Website Owners:

• X-Frame-Options Header: This HTTP header allows website owners to specify how their content can be displayed within an iframe on another website. By setting the X-Frame-Options header to “SAMEORIGIN” or “DENY”, you can prevent your website from being loaded within an iframe altogether, effectively thwarting clickjacking attempts.
• Content Security Policy (CSP): A CSP is a security measure that allows website owners to define which resources (scripts, stylesheets, images) can be loaded by their website. This helps to prevent malicious scripts from being injected into your website and used for clickjacking attacks.
• Frame-busting JavaScript: This involves placing a script on your website that detects if it’s being loaded within an iframe and then breaks out of the iframe, preventing click hijacking. However, this method might not be compatible with all browsers and can create a negative user experience.
• Careful Link Placement: Avoid placing important buttons or links too close together, especially if they have different functions. This can make it harder for attackers to create an invisible overlay that targets specific elements.

For Digital Users:

• Be Cautious with Links: Don’t click on links from unknown senders in emails, text messages, or social media posts. Even if you know the sender, be wary of clicking on suspicious links.
• Hover Over Links: Before clicking on a link, hover your mouse over it. This will display the real URL of the link in the status bar at the bottom of your browser window. If the real URL looks suspicious, don’t click on the link.
• Use a Security Toolbar: A security toolbar can help protect you from click hijacking by blocking malicious websites and warning you about suspicious links.
• Keep Software Up to Date: Keeping your software up to date is important for security. This includes your web browser, operating system, and any security software you are using. Updated software often includes patches for vulnerabilities that could be exploited by clickjackers.
• Install an Anti-Malware Program: While not a foolproof solution, an anti-malware program can help to detect and remove malware that could be used for clickjacking attacks.

FAQs