What are types of clickjacking?

The types of clickjacking are traditional clickjacking, likejacking, and cursorjacking.

What is the difference between clickjacking and linkjacking?

Clickjacking deceives users into interacting with hidden elements. Linkjacking redirects links to another destination without permission.

What is Clickjacking?

Why IRONSCALES
OUR VALUE

Protect Better

Gain protection against advanced email attacks like BEC, ATO, social engineering, and more

Simplify Operations

Turn hours-a-day to minutes-a-month combatting phishing with customizable security automation

Empower Your Org

Triple your org's email security awareness with real-world phishing simulation testing and training
CUSTOMERS

Customers

Check out the benefits provided to our customers and their stories

Case Studies

Explore inspiring success stories from our 13,000+ global customers

Reviews

Uncover honest reviews with authentic insights from Gartner, G2, Capterra, and more
NEWS

Press

Read our latest press releases, news publications, and media highlights

Awards

Explore our awards and industry recognition achievements
Press: New Research

New Osterman study reveals orgs with high confidence still lack capabilities against QR code attacks

Case Study: Webhelp

Learn how Webhelp saved over 450 SecOp hours and is protecting 36,000 mailboxes

Awards: INC. 5000

IRONSCALES earns 'Fastest Growing Email Security Company' for 3rd straight year
Platform
Spring '24 Software Release! Check out our new deep image-based detection, GWS capabilities, and more. Explore the new additions
CAPABILITIES

Inbound Email Protection

Get Adaptive AI email security against advanced attacks missed by other security controls

Account Takeover Protection

Eliminate the risk of ATO with advanced prevention, detection, and response

Image-Based Attack Protection

Protect your organization from image-based attacks like malicious QR codes

SOC Automation

Put SecOps workloads on auto-pilot with automated email remediation and more
Phishing Simulation Testing

Send your employees customized simulations built from real-world threats

Security Awareness Training

Build a security-centric culture with automated personalized awareness campaigns

Crowdsourced Threat Intelligence

Leverage insights from 20,000+ security analysts in our community for email remediation

Collaboration Tool Protection

Protect your collaboration tools including Microsoft Teams® from advanced threats
Take an Interactive Platform Tour
TECHNOLOGY

Adaptive AI Engine

Learn how we level up our AI with advanced ML models and Human Insights

Human Insights

See how we uniquely enhance our adaptive AI with real-time Human Insights

Generative AI

Discover how we use Gen-AI, large language models, and techniques for email security

Ecosystem Integrations

Maximize your existing security tools with our seamlessly integrated platform
Take an Interactive Platform Tour
Solutions
Introducing Weekly Demos! Join us for a live walkthrough of our platform and see the difference firsthand. Register Now
USE CASE

BEC & Executive Impersonation

Stop advanced attacks like BEC, VEC, and VIP impersonation

Advanced Malware/URL Attacks

Continuously protect against malicious links and attachments

Credential Harvesting

Block attackers from stealing your sensitive business data

Account Takeover Attacks

Prevent, detect, and respond to ATO attacks in real time

QR Code Attacks

Decipher image-based attacks from weaponized QR codes

Generative AI Attacks

Safeguard your organization against GPT-crafted attacks

Phishing Simulation Testing

Test your employees with real-world email attacks

Security Awareness Training

Build a security-first organization with integrated SAT campaigns

Get A FREE Email Health Scan
BUSINESS INITIATIVE

M365 Augmentation

GWS Augmentation

SEG Augmentation

SEG Replacement

SOC Automation

BY ROLE

IT/Security Leader

IT/Security Operator

Executive

BY PLATFORM

Microsoft 365

Google Workspace

Microsoft Teams
Learn
New Report! Osterman Research releases their 2024 findings on Image-based/QR Code Attacks. Read the report
LEARN

Blog

Stay informed with our insights and updates

Guides

Explore our multi-chapter email security guides

Glossary

Decode cybersecurity jargon with our glossary

Resource Library

Rich content hub including whitepapers, reports, and more

Get Started

Get started today with a 14-day free trial

Platform Tour

Navigate our platform directly with an interactive guided tour

Engineering Corner

Explore articles and lessons from our R&D team members

CONNECT

Events

View our upcoming in-person and virtual events

LinkedIn

Join the evolving email security discourse with us on LinkedIn

Newsletter

Join our LinkedIn newsletter for security news and best practices
See all resources
FEATURED

Email Security in the Age of AI

Understand the role of AI in fortifying defenses against evolving threats.

QR Code Phishing

QR codes serve as a new bypass method to evade detection.

The ABCs of MFA

MFA is your digital doorman that keeps the malicious actors at bay.
Phishing Prevention

Dive into our complete 13-chapter guide on phishing prevention best practices

Spear Phishing

Understand the inner workings of highly specialized phishing tactics and how to stop them

Voice Phishing

See how attackers leverage new methods and channels to defraud businesses
Partner
BY TYPE

Resellers

Elevate your business with exclusive reselling opportunities

MSPs / MSSPs

Unlock powerful email security capabilities for your end clients

Technology Partners

View our industry-leading technology partners

ENGAGE

Become Partner

Apply to become an IRONSCALES partner today

Partner Portal

Check out valuable tools and resources for partners

Become a Partner
Partner with IRONSCALES Today
Pricing
Get a Demo

Get a Demo

Clickjacking Explained

Clickjacking is a malicious technique used by attackers to trick users into clicking on a webpage element that is disguised or hidden. The objective of clickjacking is to deceive users into unknowingly performing actions that they did not intend to do, such as downloading malware, visiting malicious websites, revealing sensitive information, making unauthorized transactions, or purchasing products online. This attack takes advantage of the transparency of web pages and uses invisible or overlapping elements to mislead users into interacting with unintended content.

Types of Clickjacking

Traditional Clickjacking: This type of clickjacking involves overlaying invisible elements or pages on top of legitimate websites, making users unknowingly interact with hidden functionality or content.
Likejacking: Likejacking manipulates website links and social media features, such as a hyperlinked web image or the Facebook "Like" button, to trick users into unintentionally visiting digital ads or endorsing a page they did not intend to.
Cursorjacking: Cursorjacking is a technique that manipulates the position of the cursor displayed on a webpage, misleading users about the actual target of their clicks.

How does Clickjacking Work?

Clickjacking works by employing techniques that involve the use of iframes or invisible elements layered on top of visible content. The process typically includes the following steps:

Step 1: The attacker creates a webpage with enticing or deceptive content to attract users.
Step 2: In the background, the attacker identifies if the user is logged into a targeted website, such as a banking site.
Step 3: An invisible iframe is placed on top of the attacker's webpage, precisely aligning it with visible buttons or links.
Step 4: When the user interacts with the visible elements, they are unknowingly interacting with the hidden elements within the iframe, triggering unintended actions.
Step 5: These actions can range from transferring funds, providing sensitive information, or executing malicious operations without the user's knowledge.

By disguising the malicious activity as legitimate user actions, clickjacking can bypass security measures and make it difficult to trace the attacker's identity.

Clickjacking vs. Linkjacking

Clickjacking and linkjacking are distinct techniques with different objectives:

Clickjacking: Clickjacking focuses on deceiving users into interacting with hidden or disguised elements on a webpage, leading to unintended actions or unauthorized access to sensitive information.
Linkjacking: Linkjacking involves redirecting a website's links to another destination without the original content creator's permission. It isn't always used for nefarious, but typically it aims to drive traffic to an alternate website, often for financial gain.
- Negative uses: From a negative standpoint, some linkjackers provide a website with no original content and by driving up traffic to the alternate content, they make money on any click through ads. When used in this fashion, the linkjacker doesn't provide backlinks.
- Positive uses: Some larger websites, such as Digg or Reddit, may linkjack a blog or an interesting article. In these instances, the notable website does provide backlinks and appropriate references to the original content, thereby gifting a large spike in traffic to the originating website.

While both techniques involve manipulating user interactions, clickjacking revolves around user interface deception, while linkjacking centers on diverting web traffic.

How to Detect and Prevent Clickjacking

Detecting and preventing clickjacking attacks can be challenging, but there are mitigation techniques that can help safeguard against them:

Client-side Methods: Techniques like Frame Busting can be implemented on the client-side to prevent framing of webpages. However, these methods can be bypassed easily and are not considered best practices.
Server-side Methods: Implementing server-side defenses is recommended by security experts to effectively mitigate clickjacking attacks. One widely used server-side defense is the X-Frame-Options response header.
- DENY: Prevents any domain from displaying the page within a frame.
- SAMEORIGIN: Allows the page to be displayed in a frame on another page but only within the same domain.
- ALLOW-FROM URI: Allows the page to be displayed in a frame, but only within a specific URI.
X-Frame-Options provides control over which domains or pages can frame a website, reducing the risk of clickjacking.

Learn more about IRONSCALES enterprise email security platform here.

Explore Our Platform Tour

Immediately jump into an interactive journey through our AI email security platform.

Begin Tour

Protect Better

Simplify Operations

Empower Your Org

Customers

Case Studies

Reviews

Press

Awards

Press: New Research

Case Study: Webhelp

Awards: INC. 5000

Inbound Email Protection

Account Takeover Protection

Image-Based Attack Protection

SOC Automation

Phishing Simulation Testing

Security Awareness Training

Crowdsourced Threat Intelligence

Collaboration Tool Protection

Adaptive AI Engine

Human Insights

Generative AI

Ecosystem Integrations

USE CASE

BEC & Executive Impersonation

Advanced Malware/URL Attacks

Credential Harvesting

Account Takeover Attacks

QR Code Attacks

Generative AI Attacks

Phishing Simulation Testing

Security Awareness Training

BUSINESS INITIATIVE

BY ROLE

BY PLATFORM

LEARN

Blog

Guides

Glossary

Resource Library

Get Started

Platform Tour

Engineering Corner

CONNECT

Events

LinkedIn

Newsletter

Email Security in the Age of AI

QR Code Phishing

The ABCs of MFA

Phishing Prevention

Spear Phishing

Voice Phishing

BY TYPE

Resellers

MSPs / MSSPs

Technology Partners

ENGAGE

Become Partner

Partner Portal

Become a Partner

What is Clickjacking?

Clickjacking Explained

How does Clickjacking Work?

Clickjacking vs. Linkjacking

How to Detect and Prevent Clickjacking

Explore Our Platform Tour

Featured Content

AI in Email Security

Gartner® Email Security Market Guide

Defending the Enterprise from BEC

Schedule a Demo