Clickjacking Affiliate Trap – Think before you Click
Affiliates use different ways to attract traffic for their advertisers, and in the quest of earning more money, they often get tempted to use malicious ways of getting user clicks. Clickjacking attacks rely on visual tricks to get website visitors to click on user interface elements. This article shows how a clickjacking attack works and how to prevent them.
What is Clickjacking?
Clickjacking is a malicious technique of hijacking the clickable elements on a website by injecting adware through a software application, web browser extensions, and other online platforms. It is also referred to as user interface redressing.
It is a combination of 2 words – Click and Hijacking, a method used to trick users into clicking an invisible web page element or disguised as another element.
Clickjacking is an act of injecting an invisible page or HTML element, inside an iframe, on top of the actual page. The user believes they are clicking the visible page, but a hidden component of the additional page is transposed on top of it and deceives the user to unwittingly download adware in their system, redirecting them to malicious websites, making their credentials or sensitive information vulnerable in the dark web, compromise users financial transactions and more.
The most common approach to Clickjacking involves presenting the user with overlaid web pages in the browser window and some reward to click in specified tabs. The attacker starts by loading the vulnerable target website into an iframe, setting it to full transparency, and placing the frame in front of a malicious web page to elicit clicks in suitable places.
There are many purposes that Clickjacking can serve, and a few are listed below:
PPC (pay-per-click) frauds in affiliate marketing
Redirecting to competitor websites or other digital advertisements
Malware and Adware distribution (e.g., a virus/Trojan download)
Generating fake likes for social media posts (such as on Facebook or Instagram)
Third-party access authorization to remotely perform actions on the hijacked system
Types of Clickjacking attacks
The attacks have different names based on the nature of their operation. Here is a list of the most common types of clickjacking attacks.
Cookie Hijacking: Cookie hijacking is the insertion of an affiliate cookie by distributing adware through web browser extensions or downloadable tools & applications. The malicious affiliates hijack the click elements on advertisers' websites and insert their affiliate cookies to monetize the sales. They earn without driving traffic for the advertisers and consume the commissions of legitimate affiliates.
Cursor Hacking: This technique changes the cursor position to a different section from where the user perceives it. The user performs an action they intend to, but the hijacked cursor clicks on another hidden element on the web page. Cursor jacking is a technique of "creating" a lag between where you, a user, seem to click and where they actually click.
Like Jacking: This type of Clickjacking is performed to increase the likes on social media profiles. The malicious affiliates hijack the click elements and redirect the users to like tabs on Facebook, YouTube, Twitter, or other social media channels.
File Jacking: The user allows the attacker to access their local file system and use their personal data for various purposes without their knowledge.
How does it Benefit Malicious Affiliates?
The affiliate industry works on the model of - Give & Take. There are three key players in affiliate marketing – the merchant(advertiser), the publisher(affiliates) & the buyer(customers).
The advertisers pay commissions to the publishers to drive user traffic, eventually increasing sales.
Since 2015, affiliate marketing revenues have jumped 52%, and the market is only projected to expand over the coming years. Affiliate marketing has gained popularity over the last decade because of its payment model and user reach. And this tempts the affiliates to adopt malicious ways of earning more commissions. One such way is Clickjacking. The affiliates have been using multiple methods to hijack the clickable elements on web pages or applications and drop their affiliate cookies to make money. A few techniques are mentioned below:
Injecting multiple third-party affiliate cookies into the user system/browser and triggering a particular action like liking a Facebook ad or purchasing a product
Redirecting users to a competitor's website or getting them to download infected software application
Consuming marketing budgets of the advertisers by flooding spam clicks on pay-per-click ads
Distributing malware or adware attacks to access user systems and their information
Access users' personal information like passwords, banking, contact details, and more
A shopper wants to buy clothes online and downloads a web browser extension offering discount coupons. He then visits one of the popular online shopping websites Guiseme.com. The user browses the website and decides to buy a shirt. He visits the checkout page, clicks on the Buy It Now tab, and activates an affiliate cookie at the backend. Do you know what happened here?
The coupon browser extension downloaded by the user is infected, and functions as adware, and affiliates use it to hijack the Buy It Now tab on the advertiser's website. Affiliates then monetize sales happening on Guiseme.com without driving any user traffic. Here, the brand loses money by paying commissions to the affiliates for hijacking their web elements. The shopper remains unaware of any such act.
How to prevent Clickjacking attacks?
Affiliate traps have increased manifolds over the past decade, and with the uplift in the affiliate marketing industry, it is only to grow in the future. Brands are becoming more active in monitoring their affiliate networks and keeping them safe from fraud.
Virus Positive Technologies (VPT) is pioneering the market of Affiliate Fraud Management & Brand Protection Solutions. VPT's disruptive methodology identifies non-compliant behaviors that divert customers to competitor offerings, hurting conversion rates and damaging brand reputation. By eliminating these invasive promotions, VPT consistently recovers advertisers' revenue and brand value; companies can win back more than 90% of their stolen revenue. The world's largest retailers rely on VPT's solutions to eliminate invasive promotions, preserve the online customer experience, and consistently recover advertiser revenue.