derived words

clickjacking

the malicious activity of taking control of an Internet user's actions by making them click on hidden links

Identity theft, phishing, worms, Trojans … what a hazardous path we Internet users have to tread! And now there's yet another new thing to worry about – the phenomenon of clickjacking.

the way we navigate the Web centres on our ability to click, so it's no surprise scammers have been concentrating on ways to manipulate our clicking habits

Everything about the way we navigate the Web centres on our ability to click, so it's no surprise that scammers have been concentrating on ways to manipulate our clicking habits. Clickjacking occurs when users click on a button that appears to perform another function – in other words, they are tricked into clicking on something they hadn't intended to, because the link they are really clicking on is 'hidden' by something that looks innocent. The scam works by presenting the user with a web page incorporating fake links or buttons, which has another page loaded over it in an invisible layer. Users think that they are clicking on the buttons that they can see, whereas in fact they are performing actions concealed on the invisible page. To illustrate, a user might see a 'play' button for a video, but hidden underneath it is a product page from a web retailer. When the user 'plays' the video, he or she is actually clicking on a link to unwittingly buy the product.

A high-profile example of clickjacking occurred in the context of social networking website Facebook. Users clicking on links to recent popular topics like the 2010 World Cup, the BP oil leak or the new Shrek movie, have unwittingly been clicking on a hidden button telling Facebook that they 'like' the web page. This then gets published on their own Facebook page and shared with online friends, spreading the links virally.

Though episodes like this are essentially harmless, it's not difficult to see that clickjacking could be exploited for more malicious purposes, such as acquiring and manipulating sensitive information like personal details, passwords, logins etc.

Background – clickjacking

The word clickjacking first appeared in 2008, coined by Internet security experts Robert Hansen and Jeremiah Grossman. The term is, of course, a blend of the words click and hijacking (=illegally taking control of something). Modelling itself on the pattern of hijack, the derived form clickjack also exists, which can be used as a countable noun, to refer to an instance of clickjacking, or a transitive verb, usually occurring in the passive form, as in get clickjacked. The derived noun clickjacker is used for perpetrators.

Clickjacking follows two earlier neologisms centred around the activity of mouse clicking: click fraud, which is the dishonest activity of clicking on online advertisements in order to generate a charge per click, and clickprint, refering to an Internet user's unique pattern of online behaviour.