Social jacking
Social jacking is malicious technique tricking the users for clicking vulnerable buttons or compromise them by showing false appearing pages, it is a mixture of click jacking technique to breach browser security and social engineering. It may be also referred as User interface disguising method, it is a variant of click jacking method.
Technique
The original page or vulnerable page is loaded using iframe tag, after that all the unnecessary contents in that webpage displayed in iframe is removed by placing white background div tag elements by using absolute positioning property using css, thus all unnecessary information in the displayed vulnerable page is removed and only buttons or links are alone made visible to the user, more over some additional social engineering messages like click the below button so get access or get reward is displayed above the iframe tag, so the user is made to click the visible button without knowing what happens when he clicks the button.
Examples
- Suppose the user has logged into his web based email, now we send a link to the user for the tricked webpage, the user clicks the link and the tricked or specially crafted webpage is loaded, the loaded webpage has an iframe tag through which the users web based email inbox is loaded and we hide all the unnecessary information in the loaded webpage and make only the "delete all" button in the inbox page to be visible, now we add the text above iframe saying some messages which makes the user to click the delete all button, now when the user clicks the delete all button his all mails got deleted .
Prevention
Prevention of these methods is quite tough, its up to the user by identifying and analyzing the webpages and he should not click any anonymous links or buttons .
Implementation
Social jacking can be easily implemented using Google Web Toolkit, where we can design the webpage using wysiwyg GUI builder and drag white background colored panel over the iframe window thus hiding the unnecessary information, while revealing the vulnerable buttons alone.
See also
- Social engineering
- Clickjacking
- Browser security
- Internet safety
- Internet security
- Cross-site scripting
- Phishing