Clickjacking is a malicious technique during which a victim is tricked into clicking on a URL, button or clickable object other than that intended by or perceived by the user.

This is done by displaying invisible pages or HTML element, via frames, on top of the page the user sees. The user will continue to navigate the webpage expecting buttons and links to work as expected but behind the scenes it is causing malicious actions to occur such as:

  • Installing malware
  • Stealing credentials
  • Activating webcams or microphones
  • Making unsolicited purchases
  • Authorizing money transfers
  • Identifying locations
  • Boosting click stats on unrelated sites
  • Boosting ad revenues on sites

Types of clickjacking


This technique is used on social media, tricking users into liking pages that they didn’t intend to. For example, the hacker might manipulate the Facebook like button.


Cursorjacking is a UI redress technique which changes the cursor position to a different place than the user perceives it. The cursor is usually replaced with a fake one, using an image, and offsets the location of the user’s real cursor. This means that the user will think they are carrying out one action when they are actually completing a different malicious action in the background.


This type of UI redress attack steals the victim’s cookies. By obtaining the cookies, the attacker can access information contained within them and use it to impersonate the victim.


The attacker uses this technique to access the victim’s local file systems and steal files from within them. When uploading an image, for example, a window will come up allowing you to browse the files on your device. During this type of attack, clicking the “Browse Files” button will establish an active server, giving the attacker the potential to access your entire file system.

Preventing a clickjacking attack

There are not fool proof defenses to prevent a clickjacking attack. However, there are some actions you can take to reduce the risk of this type of attack:

  • Watch for emails claiming to address urgent matters – these emails will try to make you act on emotion and urgency and will usually require you to click a link
  • Do not download suspicious apps – these will likely include malware that will capture and steal credentials by presenting false input layers for you to complete.
  • Avoid clicking on offers online that seem “too good to be true”
  • Use robust cybersecurity methods – have a layered approach to prevent all types of cyberattack