Flash Notice: Double Clickjacking Exploit Bypasses Protections - STAY VIGILANT

overview

“Clickjacking” attacks are nothing new and have long served as simply one more way of tricking a victim into clicking on something they shouldn’t. In simplest terms, clickjacking is a malicious technique where an attacker tricks a user into interacting with an invisible or disguised element on a webpage, effectively hijacking their click. The attacker overlays a malicious iframe or element over a legitimate UI component, causing the user to unknowingly perform an unintended action, such as clicking a button or entering sensitive information. 

This technique has become less practical as modern browsers come with built-in protection that prevent attackers from framing other sites or by blocking cookie transmission so that authentication doesn’t transfer.  

Recently, threat researchers have discovered a new twist on this old attack, one that exploits the time between clicks (hence the term “Double-clickjacking”) that bypasses many of the currently used browser protections against clickjacking.  

Threat Researcher Paulos Yibelo, describes the attack like this:  

Double Clickjacking exploits a timing and event-order quirk: 

• The attacker creates an initial webpage with a button that opens a new window (or just opens a new window without user interaction). 
  
  
• When the user clicks this button: 
  • A new window opens on top, asking the user to “double-click.” 
  • This new window immediately uses window.opener.location to change the parent window’s location to the target authorization page. 
  • The parent window now contains the target page (e.g., OAuth authorization), while the top window still shows the double-click prompt
    
    
• When the user attempts the requested double-click: 
  • The first click (triggered on mousedown) causes the top window to close. 
  • The second click lands on the now-exposed authorization button in the parent window. 
  • The user unknowingly authorizes the attacker’s application into their account with arbitrary scope. 

how avertium is protecting our customers

TTPs TO MONITOR

• Example: The malicious iframe could interact with a page over HTTPS, ensuring secure transmission of attacker-controlled content. 

• Example: The JavaScript in the code you provided manipulates the window object, which is typical of double-clickjacking attacks where one click sets up the malicious action (such as redirecting the user or altering page content). 

• Example: By bypassing browser warnings or security features, attackers can manipulate a user's interaction to perform harmful actions like authorizing payments, changing settings, or making unauthorized changes to sensitive data. 

• Example: Double-clickjacking could be used in conjunction with phishing to acquire credentials, which are then brute-forced for further unauthorized access. 

• Example: After a user performs a double-click, PowerShell scripts might be executed in the background, either to manipulate the system further or perform actions based on data obtained via the clickjacking. 

additional recommendations + information

As web-browsers are able to update with newer protection that eliminates the double-click exploit, we recommend taking additional steps to further guard against attack.  
 
1. Enable Content Security Policies (CSP) 

• A Content Security Policy (CSP) can restrict what external content can be embedded on a page. Websites can implement a CSP to prevent iframes or malicious content from being injected into their pages, reducing the risk of clickjacking. 

• Disabling JavaScript for sites that you do not trust can prevent malicious scripts, such as those used in double-clickjacking, from executing. Most modern browsers allow users to disable JavaScript or restrict it to trusted sites. 

• Avoid clicking on suspicious links or interacting with unfamiliar websites, especially those that seem to manipulate or change their UI unexpectedly. 
• If a site asks for sensitive information or redirects you unexpectedly, it may be a sign of an ongoing attack. 

Web-site owners can take a further step, by disabling critical buttons unless a gesture (such as hovering the mouse pointer over a link to verify the address) is detected.  

ADDITIONAL SERVICE OFFERINGS

• Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  
• Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).

SUPPORTING DOCUMENTATION