Disclaimer: Click Jacking is considered a Black Hat SEO method. If Google catches you using Click Jacking methods they will black list your site. I take no responsibility for how you choose to use this information.
You probably see it all the time on websites. Little icons on the pages that have the logo of social networks. Or sometimes the logo will have number next to them. These are ways to get better results in search engines. The more Facebook Likes a person has the more Tweets someone has and the more Google +1’s they have the better results they will have in Google’s Searches.
However in the dark realm of the internet world, there are people who look for ways to cheat their way to the top. They don’t care about the honest opinions of people visiting their site. They only care about getting the best results at any costs. This means they will manipulate the system to work in their favor.
One method people use to manipulate the system is by setting up a bunch of fake social network profiles and using them to get results. This however is easy for Google and other search engines to detect. Another method is by forcing social network users to do it for them. Many times these users don’t even know they are participating in such activities.
I chose Google +1 for this because it is Google, and they are number one. The concept is exactly the same for any other site. And you can click jack anything for any reason.
The basic idea of click jacking is to find the area of the site you want users to click. Then create an iframe for that location. The iframe will always follow the users mouse and users mouse will always be directly over the iframe. So when I user attempts to click a link on the page he/she is clicking the object you want them to click. Of course iframes can be visible, so we hide the iframe so they only see the mouse and not the iframe or the clickable element we are forcing them to click.
After the user clicks the element they will think nothing happened. Most of the time they will try again. When it comes to things like Google +1 and Facebook Like buttons when I user clicks twice it toggles on and off. So one click will mean you +1 the site two clicks means you didn’t +1 the site. And 3 means you did and so on.
To prevent the user from clicking multiple times you removing the iframe after the first click. This allows users to click on the other links on the site and the links will work as they expect. Leaving the user to believe the first click attempt was just a hick up or a problem on their end.
Build The Click Jacker
First lets write the CSS. The below will affect the iframes body. We set everything to zero so no one can see anything.
Now lets build the iframe. In our case we will nest the iframe inside of a hidden div this, with the width and height of 1 pixel. We will also set the div to be relative. The reason we are using a div like this is to ensure that it always follows the mouse.
After we set the div we create the iframe. The iframe will have the section we want to click inside of it. We will also make the iframe have a border of 0 pixels. We will set the correct alignments for the iframe. And set the position to absolute to the div.
<div style="overflow:hidden;width:1px;height:1px;position:relative;" id="v">
<iframe id="cksl7" name="cksl7" src="http://www.iframepage.com/file-with-clickable-object.html" style="border:0px;left:-625px;top:-307px;position:absolute;filter:alpha(opacity=0);z-index:1;opacity:0;overflow:hidden;width:1366px;height:546px;">
Remember ! means NOT in many programming languages. So the above in pseudo code would be something like if not d.all then d should capture events when the mouse moves.
Preventing The Attack
If your the owner of a site like Facebook or Google, then preventing the attack is difficult since you don’t have access or control to the site that is doing click jacking methods. The only thing you can do is block the IP address of the server that the site is stored on. Of course doing this means that you know the owner of the site has already used click jacking methods. If you haven’t caught them then they would continue to do it, and there isn’t much of a way to actually prevent them from starting to do it.
If you are a user who has been used to become part of a click jacking system. And you find out that you have become part of the system. It is best that you report the click jacking site to the correct people. For example if the click jacking site is click jacking Google +1 clicks it is best for you to report it to Google. If it is click jacking Facebook likes it is best to report it to Facebook.
Click Jacking may be a way to make some fast cash by climbing up to the top of search engines really fast. But it wont be permanent. Once you get caught you wont appear in search engines any more. This means you will lose traffic, sales and business for that site.
Even if you register the domain on someone else name, you will need a different server as well since the server you used would have been black listed as well.
It is up to the site owner to decide if making extra money really fast is worth years of lost credibility and a dead stream of income.