What Is Clickjacking?

Clickjacking is when a cybercriminal tricks a user into clicking an invisible element on a webpage, thereby ‘hijacking’ the user’s clicks for malicious purposes.

To do that, attackers place a transparent layer over a legitimate page, which, when clicked on, triggers a malicious operation running in the background. The worst part of it all? You have absolutely no idea it’s happening.

Clickjacking, also known as UI redressing, has been used in the past to:

  • Steal passwords
  • Fake Facebook likes
  • Push online scams and spread malware by tricking people into clicking on malicious download links
  • Trick people into turning on their webcam or microphone

Here’s how it works

For an attack to work, a specific webpage element needs to be targeted, such as a link, button, or header. For maximum impact, attackers will target the areas that users are most likely to click.

In general, HTTP sites often become a battleground for clickjacking attacks, since they lack the security layer that HTTPS sites provide.

Clickjacking example #1: Stealing your money

An attacker uses multiple layers to trick you into transferring your money into their bank account.

  1. As bait, the hacker presents an attractive page that promises you a free trip to Bali if you click a “Book My Free Trip” button.

  2. Meanwhile, the hacker checks if you’re logged into your banking site. If so, an invisible bank transfer page is loaded behind the ‘free trip page.’ The hacker inserts their bank details into the form.

  3. The “Confirm Transfer” button is aligned exactly over the “Book My Free Trip” button.

  4. You click the “Book My Free Trip” button (which is actually the invisible “Confirm Transfer” button) and unknowingly transfer money directly into the hacker’s account.

  5. You’re redirected to a dummy page about your supposed ‘free trip,’ oblivious to everything else that happened in the background.

Clickjacking example #2: Faking Facebook likes

An attacker tricks you into liking a Facebook page without you realising, gaining them thousands of real followers.

  1. The attacker creates a dummy website with a button that says “Click here to go back to Google.”

  2. On top of that page, an invisible page is loaded with the Facebook ‘Like’ button lined up exactly over the “Click here to go back to Google” button.

  3. You try to click on the “Click here to go back to Google” button, but instead click on the attacker’s invisible Facebook ‘Like’ button.

Clickjacking example #3: Stealing your credentials

A hacker harvests your username and password by superimposing a fake login box on top of a real one.

  1. The attacker positions a transparent layer over the legitimate website, so both text fields overlap each other.

  2. Now, you cannot tell the difference between the text field you see and the identical one which the attacker has duped.

  3. To the hacker’s delight, you type your password directly into their invisible text field overlapping the real one. However, everything you type will be hidden, so most people know something’s up when they can’t see any characters appearing as they type.

But how many of us punch in passwords and hit enter without even looking up from the keyboard? It’s hurried moments like these which attackers rely on to swipe your credentials.

What is the difference between clickjacking and phishing?

A phishing scam is a little different from clickjacking since it involves direct communication with the victim. Usually, an attacker sends a fake email, mimicking a legitimate company, which tricks people into replying with personal information.

In other cases, the email contains malicious links to phony websites or opens a pop-up window that mimics a legitimate website. In reality, it merely collects your information.


Most browsers protect against clickjacking with the Same-Origin policy. This means a browser will allow scripts in one web page to access data in a second page, but only if both pages have the same origin.The browser checks the origin of the pages by comparing their URI schemes, host names, and port numbers — all of these must match.

To avoid clickjackers trying to steal your sensitive information, a password manager is a brilliant place to start. For example, NordPass detects insecure websites (such as HTTP sites – the kind that are typically used in clickjacking attacks), prompting users with a notification that they’re about to access an unprotected website.

New scams are created every day in an attempt to circumvent your security. Generally speaking, avoiding HTTP sites is a great way to steer clear of a whole range of cyberattacks, not just clickjacking. Conveniently, NordPass alerts you about unsafe websites besides securely storing your most sensitive information.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.