Clickjacking: Hijacking clicks on the Internet

What if you reached to grab a newspaper out of a news stand and you found a rock in your hand instead? How about opening the front door to a grocery store and ending up on a boat?

This sounds like a Matrix movie, but the virtual equivalent of this is real and poses one of the most serious new risks on the Internet, according to Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security.

"Most exploits (like worms and attacks that take advantage of holes in software) can be patched, but clickjacking is a design flaw in the way the Web is supposed to work," Grossman said. "The bad guy is superimposing an invisible button over something the user wants to click on...It can be any button on any Web page on any Web site."

The technique was used in a series of prank attacks launched on Twitter in February. In that case, users clicked on links next to tweets that said "Don't Click" and then clicked on a button that said "Don't Click" on a separate Web page. That second click distributed the original tweet to all of the Twitter user's followers, thus propagating itself rather quickly.

At the time, Grossman called it a "harmless experiment," but the potential for harm by an attacker who isn't just having fun is huge.

In a demo at CNET offices, Grossman showed how someone could launch a clickjacking attack using Flash to spy on someone by getting them to turn on their computer Web cam without knowing it. (Grossman also appeared on CNET Live to talk about clickjacking.)

Like the name suggests, clickjacking is the hijacking of your click, unbeknownst to you. A victim may not even know that the click has been redirected, which means there could be clickjacking attacks going on that no one knows about yet.

Clickjacking attacks are accomplished by creating something called an iFrame that allows a browser window to be split into segments so that different items can be shown on each. This code is inserted into the target Web page and is invisible to the end user. When the end user's cursor clicks on the section of the page where the malicious iFrame is hiding, the attack is launched to do whatever the attacker desires.

An attacker could hide an iFrame under any innocent link on any Web page--a headline on The New York Times or a "digg this" button on Digg, for instance--and when the victim clicks on the link, the cursor is actually clicking on the hidden iFrame.

In the Web cam demo, the iFrame created contains a Flash pop-up window that asks the user to grant permission to have the Web cam turned on. When the victim clicks the link, the Web cam is turned on and secretly begins recording everything the user does in front of the computer.

One of the scariest things about clickjacking is the potential for abuse. An attacker could spy on you by turning on your Web cam or microphone, direct you to a Web page with malicious content that is downloaded onto your computer, or even rig it up so you end up clicking "buy" instead of "cancel" on an e-commerce site.

Another thing that makes clickjacking so serious is that there really is very little that end users can do to protect themselves, Grossman said.

In the Web cam scenario, the best defense is probably to put a post-it note or other item over the Web cam lens and to disable the microphone in the software, he said. Flash Player 10 provides some protection by preventing anything from obscuring the security permissions dialogue box, he said.

Web site owners optimizing their sites for Internet Explorer 8 have the ability to prevent pages from being framed in, which means visitors to their site will be safe, only on that site and only if they are using IE8, Grossman said.

People using Windows and IE should disable JavaScript to help protect against clickjacking, he said. Firefox is safer; the NoScript add-on for Firefox not only lets people selectively block scripts, but it has a ClearClick feature designed specifically to protect against clickjacking, he added.

People should also log out of Web sites, like Facebook and Twitter, when they are done using them for the time being. "You can't be forced to do something on the site if you are not logged in," Grossman said.

More details are in a white paper on the technique, written by Grossman and Robert Hansen of SecTheory and published in September 2008. Grossman and Hansen coined the term in that document.

The authors canceled their talk on the subject at the OWASP (Open Web Application Security Project) conference that month at Adobe's request because their proof of concept revealed a bug in Adobe's software, according to IDG News Service.

IFPI website hacked to protest Pirate Bay trial

The Swedish website for the International Federation of the Phonographic Industry was defaced Thursday by hackers protesting the group's involvement in the ongoing Pirate Bay trial in Stockholm.


The message on the homepage of the recording industry association's website urged Pirate Bay prosecutor Haakan Roswall of Stockholm to "stop lying." The hackers, calling themselves "The New Generation," said the intrusion was a "declaration of war against the anti-piracy industry."

The site was restored by early Thursday.

"It is deplorable that these saboteurs will go to such extremes as to infringe on our and others' freedom of speech on the internet," said Lars Gustafsson, a director of the IFPI in Sweden, which is trying to shutter Pirate Bay, the notorious BitTorrent tracker with more than 22 million users.

Peter Sunde, who is one of the four on trial, condemned the attack.

"Whomever is hacking the IFPI websites, please stop doing that," he wrote on Twitter. "It only makes us look bad!"

It's not the first time the IFPI has been swashbuckled. In 2007, the Pirate Bay briefly acquired control of the IFPI's international website site via a cybersquatter.

Just how dangerous is online banking?

Sure, the Web makes it really simple to manage your money. But, It also makes your account easier to hack into. Here's a look at the risks and realities -- as well as nine smart tips that can help you protect yourself.

Joe Lopez will never forget the day he checked his Bank of America account online and realized that more than $90,000 had vanished.

Months before, the Miami business owner had stopped making weekly visits to his local branch, opting instead to conduct his financial transactions entirely over the Internet.

"I absolutely thought it was safe," Lopez said. "And it was convenient."

What he didn't realize were the risks. A malicious virus had infected his computer and, in a matter of minutes, captured his user name and password -- allowing a hacker to transfer $90,348 to a rogue overseas account.

Lopez got most of his money back months later, after a U.S. federal investigation and, eventually, a lawsuit. But his experience taught him the hard way, he says, what many experts have concluded: "Online banking is a danger."

Since its debut just a decade ago, online banking has become one of the fastest-growing Internet activities. Roughly 43% of people in the U.S. who use the Internet, or about 63 million Americans, do some banking there, according to a 2006 survey by the Pew Internet & American Life Project -- even more than make travel reservations online.

But that growing popularity has also brought increasing anxiety over whether something as private and personal as a bank account can be fully protected in the relatively unregulated and unpoliced world of the Internet.

"It's pretty hard not to do online banking because it is so convenient, and people want convenience," said Atul Prakash, a University of Michigan researcher who conducted a study on the risks of Internet banking. "Nevertheless, there are reasons to worry."

Mia Jozwick, a student at Wagner College in New York City, was duped by a "phishing" e-mail made to look like a message from her bank. Thinking it was an important financial notification, Jozwick responded by firing off her user name and password; she learned it was a scam only after someone emptied her account.

To make matters worse: Thieves were also able to steal her identity, because her password was her Social Security number. It took her a year and help from Identity Theft 911, a service agency, to unravel the mess she found herself in.

How the scams work
Since the birth of electronic commerce, financial institutions have stepped up online security measures to try to make the process less vulnerable to attacks.

Some have spent millions adding more layers of authentication, toughening encryption schemes and going after and shutting down bogus bank sites.

But that hasn't stopped hackers, who continue to look for ways to exploit security gaps.

Among the most popular attacks are phishing schemes that duplicate bank Web sites and ask customers to log on to their accounts. Others send e-mails, purportedly from bank employees, asking for sensitive financial information. Often the two work in tandem, with an e-mail containing a link that directs recipients to a bogus bank site. Both scams are designed to steal user IDs and passwords as a customer types them in, giving a cyber thief access to the person's financial accounts.

Other cyber thieves embed viruses, spyware or "Trojan horses" -- programs that can give thieves unauthorized access to a computer by recording and sending out a user's keystrokes. These programs allow thieves to look over your virtual shoulder as you type in sensitive financial information. Within seconds, your savings and checking accounts, even your investments, could disappear.

How big a problem are we talking about? The numbers are tough to pin down: Experts say there are no reliable studies showing how much money is lost through online banking alone, primarily because banks themselves can't always pinpoint the source of how a crime occurred, whether on the Web or through an ATM.

But various reports offer hints at the magnitude. For instance, about $3.2 billion was lost to phishing attacks in 2007, according to a survey by Gartner, a technology research firm -- with about 3.6 million people losing money to these attacks over 12 months.

"It's a huge business," said Graham Cluley, a senior technology consultant at Sophos, a spam-fighting security firm. "The scammers are literally making millions, and they can be based anywhere in the world."

And the attacks are increasing.

Take the so-called Sinowal Trojan, a virus that injects what seem like legitimate pages on someone's browser, then steals the user's log-in credentials. In probably one of the largest online banking breaches known to date, the virus has compromised 300,000 online bank accounts and about 250,000 credit and debit card accounts over the past three years, according to a study published in October by California's RSA FraudAction Research Lab -- with more than 100,000 online bank accounts hit in the past six months alone.

There are thousands more Trojans out there, many of them specifically targeting online banking customers.

"There is definitely more risk than there was one or two years ago," said Avivah Litan, a Gartner analyst.

She said her clients have told her they've noticed the assaults have doubled in the past six months: "The attacks are so vociferous and manipulative that even the big banks can't stop them."

What are the banks doing?
That's not to say banks are not trying. For a small fee, Bank of America -- the largest online banker in the United States -- recently introduced the SafePass card, a wallet-sized card embedded with a button that, when pressed, sends the customer a six-digit security code via text message. The customer can then enter the code along with his/her user name and password to access an online account. For business accounts or wealthier clients, some banks also offer SecurID, a token-like device that generates a new six-digit code every minute that users need to log in to their accounts.

Bank of America, along with other financial institutions, also has started an alert system advising customers by e-mail or text every time a transaction occurs. "Protecting the safety and security of our customers' information is our top priority," Bank of America spokeswoman Britney Sheehan said.

But not all banks offer the same level of security. "If you are going to do the bulk of your transactions online, you should really shop around to find a bank that has the best security measures," said Anthony Reyes, the CEO of New York's ARC Enterprises, which investigates computer intrusions. "But you have to also make sure you are doing everything right on your side."

Protect yourself
So should you be avoiding online banking altogether? Not so fast: There are risks associated with traditional banking as well.

More than three-quarters of banking fraud stems from offline factors, such as cheque fraud, mail theft or a lost wallet, according to the 2007 Online Banking Security Report, released by Javelin Strategy & Research, a California firm.

"When you're online, even though you have a lot of risks, you're more in control because you can do something about the risk -- you can monitor your accounts, and you can say no to the malicious junk," Javelin President James Van Dyke said. "In the old-fashioned world, such as the paper and mail world, you can't do much to keep prying eyes from looking at those paper cheques and paper statements."

But others point out that online crooks can target thousands, if not millions, of accounts at once, making Web banking the more lucrative target.

"To compromise half a million accounts, you'd have to raid millions of mailboxes -- probably 20 (million) to 30 million in the mail world. But online it could take a matter of seconds," Gartner analyst Litan said. "So in terms of hit rate, online banking is not as safe."

Experts suggest that anyone using online banking should take these steps:

1. When logging on to a bank Web site, a user should look closely at the site's URL to make sure it matches the bank's name. A more secure URL will begin with "https://" and be followed by the bank name. Make sure the bank's padlock is displayed in a corner of the site before you log on.

2. Log on to banks only from a secure computer. Never log on from a public computer in a hotel or cafe, and be careful when logging on to unknown networks with a laptop.

3. If you get a warning e-mail, call your bank -- don't click on any provided links.

4. If your computer is acting strangely -- for instance, reacting slowly or getting pop-ups -- avoid using it for online banking until you can get it checked out.

5. Keep anti-virus and anti-spyware software up to date.

6. Install and maintain a firewall.

7. Never respond to any e-mail that requests personal information.

8. Be leery of fly-by-night, Internet-only banks with high interest rates on savings or chequing accounts. Make sure the bank is FDIC-certified and is insured.

9. And, most importantly, use a different user name and password for each financial account. The password should be complex, with numbers and symbols, and changed regularly.

Still, there are no guarantees.

"It annoys me when people say these consumers are dumb, (that) they fell for it," Litan said. "They are not dumb. These criminals are really good, and you'd have to be a total security geek to stop everything."

One final precaution: Know the rules. Regulations require that banks return money lost to electronic transactions, but the customer has up to 60 days to detect the fraud and two business days to report it. Meanwhile, different banks have their own rules -- look them up before you shift your banking to the Web.

For Lopez, the lesson was painful. As a business owner, he had to sue his bank to try to recover the money; the case settled last year.

Now Lopez is back to old-fashioned banking methods and following up his transactions with phone calls.

"I don't do any online banking anymore. Nothing, zero," he said. "I'm so paranoid."

He also recommends heavy positions in materials stocks, "tied to the strength of emerging markets where infrastructure developments are driving demand for metals and other resources, and rising income levels and meat consumption are pushing up global agricultural prices."

On the negative side, food processors, retailers and other companies that "rely heavily on grain, oil, or other commodities as inputs face increasing costs and thus weaker profits." And rising interest rates are likely to reduce the attractiveness of utility dividends.

Additionally, "financial sector earnings are expected to fall modestly for the first time since 2002," Rubin said. "That compares with expectations just three months ago for a near-double-digit gain for the sector."

Bell says customers must pay bills racked up by fraudsters

Bell Canada has taken out full-page newspaper ads warning customers they are responsible for costly long-distance calls made through their voicemail systems, even if they were done so fraudulently.

In the ad, Bell says it has received several complaints about a voicemail fraud scam whereby "experienced criminals...illegally gain access to company voicemail systems and then place long distance calls from within those systems."

While a spokeswoman for BCE's Bell Canada says the bills have been reduced by the phone company, the businesses insist they shouldn't be forced to pay for any of the illicit calls.

Businesses are crying foul after receiving sky-high phone bills that charged them upwards of $200,000 because hackers were able to break into their Bell voicemail system and hijack it to make long-distance calls.

The warnings come too late for Burlington, Ont. law firm Martin & Hillyer.

Martin & Hillyer, says it has been hacked and is battling to erase a bill that includes charges worth more than $207,000 in calls to Sierra Leone in western Africa.

The law firm isn't alone in but Bell Canada spokeswoman Julie Smithers calls the situation "really rare" and a "very old scam" that affects primarily business customers, although she said some residential consumers have been caught as well.

Here's how Bell thinks it works: an automated dialler will target a specific phone number, and wait for the voicemail to respond. Then, the computer will go through standard voicemail passwords.

Often the voicemail passwords have never been changed from the original programmed default, they are the same as the phone number or extension, or they are easily guessed, such as 1234.

Once it finds the correct password -- often a predictable number combination -- the automated dialer will choose an option on the voicemail that allows it to make long-distance phone calls.

On the phone bill it will appear as though the calls were made directly from the office or home number.

The Bell ad says its systems come with adequate security devices, but "like locks on your car or on your house, they have to be used properly in order to be effective."

Smithers said Bell does have technologies to detect "bizarre calling patterns and in a lot of cases we can stop it by placing a block on long distance."

But she added "it is extremely important and it is the customer's responsibility to put passwords in place that are difficult to guess."

In Oakville, Gordon Cowan, the president of GPS Consulting Group & Insurance Agencies, faced a similar problem but on a smaller scale.

His offices rung up more than $60,000 in charges, starting with a 14-hour period on a weekend in early October.

"I came in on Sunday and there was a call from the Bell Canada fraud squad saying we had been breached. They shut our voice mail system down," Cowan said in an interview.

"They told us to change our passwords, which we have been doing anyway, and they would be in contact with us."

Cowan says that a week later the hacking happened again.

In both instances, Bell Canada agreed to reduce bill as a "goodwill gesture" -- in the law firm's case they cut it down to about half of the $207,000.

Cowan's $60,000 bill was slashed to about $7,000.

Bell says that Canadians are responsible for taking steps to prevent their voicemail from being hacked.

"It is something that's not unique to Bell -- it has been seen by pretty much every telephone company in the country, the U.S. and internationally," Smithers said.

Last week, reports from Australia said that police were investigating claims from a Perth business that its Internet phone lines were hacked, resulting in a $120,000 phone bill from more than 11,000 international calls.

Bell offered up a number of tips for companies to ensure their phone systems are not compromised. But Bell also says companies will have to pay for those calls made when the systems are hacked.

"Remember that you are responsible for paying for all calls originating from, and charged calls accepted at, your telephone, regardless of who made them or who accepted them," the ad states.

The following is a list of steps Bell says companies can take to protect their voicemail systems.

- Ensure employees change default password immediately after being assigned a voicemail box.
- Program systems to require passwords of six or eight characters.
- Avoid easily-guessed passwords.
- Require users to change their password every 90 days, as a minimum.
- Disable the offsite "through-dialling" option if it isn't necessary.
- Remove all unassigned mailboxes.

"While these precautions are of a general nature, and might not protect every aspect of an individual telephone system, they will go a long way to reducing your vulnerability to this type of fraud," the ad states.