ClickJacking and Phishing
How are clickjacking and phishing different?
This is a great question because both of these attacks are ways of giving the user something different from what they were hoping to do, but they are executed in very different ways.
Clickjacking works like this:
You know when you're on a website and it shows the location of something on Google Maps? This is because the website you are on is also loading a page from Google Maps inside itself. So you're on random-restaurant.com, which is loading map.google.com inside itself—it's called an iframe. In clickjacking, malicious websites do the same thing, but they load a webpage like bankofamerica.com. This can be dangerous because they don't require you to show the entire web page in an iframe.
Here's an example of how it might work: You visit a website to download the movie Despicable Me. On the web page, it displays the film's cover, information about the actors and actresses in it, and then has a "Transfer" button to download the movie to your computer. However, they actually loaded the Bank of America website in an iframe, opened a transfer money page, and typed in $1,000, and then all you need is the "Transfer" button at the bottom of the Bank of America form. showing. You think you're going to download a movie, but you're actually transferring $1,000 to them.
Now, over time browsers have become much better at preventing this. There are three things that make this attack very difficult to perform in modern browsers:
It used to be possible to make iframes transparent, so they didn't even need to show you the actual buttons. You thought you were clicking on the page, but you were actually clicking an invisible button on a different page. Most browsers no longer allow this.
The browser is used to keep you logged in between your regular browsing and the iframe, so even if you were logged into Bank of America, you would still be logged in to the iframe. Now, they do a better job of keeping logins separate, so now you have to type your BofA password into the site before this attack can work.
Websites can choose how they are loaded and disallow iframes, so if it doesn't make sense for a page to be loaded by another website, the developer can prevent this from happening.
Phishing occurs when one website pretends to be another website. Here, the actual website is not being loaded at all, but the malicious website is being styled to look like the actual website. When you visit, the malicious website seeks to obtain information from you that you would normally only give to the legitimate site, such as your password or credit card information.
For example, you may receive an email from email@example.com informing you that you need to reset your password when you click on the link in the email, it takes you to bankofamericasupport.com, which looks like the Bank of America website, but which is actually a malicious website. It asks for your current Bank of America password, which you type thinking it's the original Bank of America website. The malicious website now has your real username and password, so they can take over your Bank of America account.
Clickjacking occurs when you are on one website, but it secretly loads another website to persuade you to take some unexpected action on a legitimate site.
Phishing is when you are on a website, but it pretends to be a different website to give you information that you would only give a legitimate site.
Join GraspHack Family!
We will never spam you.
Be a part of our ever growing community.