What Is Clickjacking

Clickjacking is a extreme blackhat practice that involves tricking the user into clicking on ads or like/follow buttons when they think they are clicking on something else on your webpage.

criminalblackhatIt’s illegal and violates virtually every TOS or AUP on the planet. In other words, it’s risky!

If you should decide to engage in Clickjacking, that is your call and you bare all responsibility for your own actions. I’m simply here to discuss how it is normally done and educate my audience for their own entertainment.

Are we clear? This is purely for entertainment. If you clickjack that’s your decision, not mine.

But you came to my blog because you wanted to know about something blackhat so lets dig in.

How Does Clickjacking Work?

The basic principle is that an advertisement or ‘like/follow’ button will be floated behind the mouse pointer of a user. That ad or button will be invisible and the user will be completely unaware that it is there.

When the user clicks on something else on your webpage, they will effectively be clicking on your advertisement or button.

clickjacking_scenarioTypically speaking, that click will earn you money directly, or will add a fan/follow to a social page that you have.

In rare cases people will float an affiliate link behind the pointer to cookie stuff the user each time they click, but most blackhats will just directly cookie stuff the user if that is their intention to begin with.

On the right hand side you will see a mock up of what the clickjacker would be doing if they were using Adsense as their means of monetization.

Where ever the user moves their mouse the advertisement will be directly underneath it. That way when they click on something on the page, they are also clicking on the Adsense ad – earning them money for the click.

That having been said, I’m just using Adsense as an example. Not only do I not advise that anyone clickjacks anything, but Adsense in particular is a really bad idea. They are very good at catching this activity in most cases.

Of course, I would be lying to you if I told you that I don’t know of people getting away with clickjacking Adsense – but they are using very advanced scripts with multiple forms of ‘Detection Protection’ that are getting away with it.

What Is Detection Protection?

I want you to picture this scenario in your head.

You run some company like Adsense that pays publishers every time someone clicks on an ad. All of a sudden, one of your publishers is getting 3000% more clicks than they were getting last week.

Would you go check out those pages to try to find out why? Of course you would.

And that’s exactly what real companies do. They will monitor your traffic for abnormalities and investigate anything that stands out as unusual.

If they find something illegal of deceptive going on they will almost always close your account – and in some cases my prosecute you for fraud, although that’s not common.

So, if you intend on clickjacking then you’ve got to be sure that you are using a plugin or script that will protect you from the entity that you are doing the clickjacking to or with.

findclickjackRandomized Click Areas

Old clickjacking scripts would clickjack the same 1x1px box every time. This became easy to track for advertisers that use javascript because they could determine exactly where on the ad that the clicks happened.

So back to our earlier scenario. You’re an affiliate manager and one of your publishers is getting 3000% more clicks than they were getting the week before.

Suspicious right? But to make matters worse, every person that is supposedly clicking on these ads are clicking in the exact same spot – every time!

Not only does that seem suspicious, now it’s just impossible…

Thousands of blackhats were busted because of this rather stupid manner of doing things. But eventually better scripts were written and the clickjacking would occur randomly in a box that may have been 20×10 pixels wide.

That’s better because now the clicks are coming from 200 different pixels at random. Great right? Wrong.

If if the ad is 300×250 pixels, then to just have the clicks coming from such a small area still doesn’t make sense.

Truly advanced clickjacking scripts will click in not just one random area of a box, but will target multiple areas of the advertisement so that the click location is truly random. See the example below.

clickjacking areas

A bad clickjacking script can get you busted by your advertisers while a better clickjacking script will give you a bit more ‘believability’ just because the clicks are coming from randomly selected places on the advertisement.

 Referer & GEO Detection Protection

Let’s say that someone were using Company ABC to monetize their clickjacking efforts and they knew that Company ABC was located in Cleveland, Ohio.

If the clickjacker were smart, they would never clickjack any user whose IP came from Cleveland right? Of course.

cj_norefSo scripts were written to protect against geographic locations. That is they wouldn’t put the ad underneath the mouse pointer if the visitor comes from a high risk area.

This makes it harder for Company ABC’s auditor to determine if they publisher is clickjacking because they can click anywhere on the page they want and never see the click show up in their backend panel.

But more important than just that – certain clickjackers will only do it with traffic that they know can’t be an auditor.

An Example Of How Clickjacking Might Be Done

For instance, lets just say that you have 10 autoblogs running and they are 10,000 pages each.

They are going to pull in a lot of traffic from the search engines and maybe you have a popup running on those sites that forces those users to hop over to the website that’s running the clickjacking script.

The now frustrated user gets to the page. The clickjacking script identifies them as traffic having come from a domain that it knows is ‘Safe.’

The script will then deploy the ad underneath the mouse pointer and the user has no idea that it’s there.

But Remember, The User Is Frustrated Now

A cold hard fact is that frustrated people click. They click to find the information or they want to get out of the webpage they are in. But they click!

Since the script has identified them as safe traffic to deploy the ad under, when they do finally click to leave or on anything else on the page – the person running that clickjacking website will have effectively monetized that click to get whatever they wanted.

clickaround

Further more, the person running the clickjacking script will probably be able to get away with this kind of operation for months, maybe years without being detected because in order for someone to get clickjacked they have to come from a site the operator knows is secure.

When an auditor comes to check it out, the ad won’t be deployed. In fact, the auditor would have to find one of the operator’s many other autoblog domains and just by chance click through to the clickjacking site in order to finally deploy the clickjacked advertisement.

It would be quite a process to go through for the auditor to get what he was looking for.

Final Word On Detection Protection

I’ve only provided you with two of the ways this is typically done. These aren’t super ‘trade secrets’ or anything and are methods that have been around for years.

Nobody and certainly no developer should feel this is enough security by any means. If you are thinking about writing your own script to clickjack, research it further first.

Put yourself in the shoes of an auditor and ask yourself what they might look at before you sit down and write any kind of code yourself.

Why Would Someone Clickjack Their Traffic?

Remember, I don’t think that it’s a good idea to clickjack. I don’t suggest that anyone do it!

It’s illegal and prosecutable. This is for entertainment only.

People clickjack for the obvious reason of profit. But they also do it to artificially inflate social numbers.

For instance, if they have a Facebook Page about diet pills, they might clickjack a ‘Like’ button on a domain that only talks about diet pills and fitness. When a user clicks like (and if they confirm the like), that blackhat marketer will be able to advertise to them anytime they want to.

72bancjCommon sense, right?

But people do it for other reasons as well. For instance let’s talk about another social network, Twitter.

If you aren’t aware there are people that will pay to have their message tweeted by someone with a lot of followers. If a blackhat marketer was to clickjack on a massive scale and get 20k-30k followers, they could change between $50-$100 per tweet.

It’s a pretty profitable operation for the blackhat, but it is extremely risky.

Final Thoughts

I’ve given you a complete overview of what clickjacking is and furthermore how someone might use it.

I do not suggest that you go out there and do this. In fact, just the opposite. I would heavily warn you to not engage in this illegal, risky and fraudulent activity.

If someone out there decides they want to do it despite my warnings then you need to heavily investigate the script that you plan on using. Pay special attention to it’s protection and deployment options.

If you get caught and your accounts get closed, don’t say that I didn’t warn you.

Thanks so much!

– GOY