Via Windows Secrets Newsletter (Issue 172)
In last week's Top Story, Windows Secrets associate editor Stuart Johnston described a technique being used by bad guys to infect your PCs and steal your personal information. Now we hear from a reader named Graham, who has first-hand experience that clickjacking attacks are real and likely to become more common.
"Yep, clickjacking is in the wild. I build, fix, and de-badware computers for family, friends, and businesses. I had a friend complain that his eBay page kept popping up with auctions when he hadn't accessed eBay. So, dutifully, I went to see what was going on and found that he had been trawling through some [game] crack sites.
"When he clicked some links, he would also pop his eBay page up (he had his eBay cookie set). Bingo! The crack-page vendors had scored his login details. I quickly apprised him of the risks of visiting said pages and, of course, quickly reset his eBay password and scanned, cleaned, and disinfected his computer.
"Hopefully, I have left him a much wiser if not a safer surfer. So the hack is out there and, I am sure, soon to spread to more legitimate sites as hackers break into badly protected Web pages. And I am sure more nastiness will soon present itself rather than this more benign attack (and I am not lessening the seriousness of this type of attack, just that this was easily fixed)."
To repeat the precautions that Stuart outlined in his article: (1) use the Firefox browser with Giorgio Maone's NoScript script-blocking add-on installed (donation requested) and allow only trusted sites to run scripts, (2) update to the latest version of Adobe's Flash Player, and (3) stay away from questionable sites.
-----------------------------
I'm not 100% sure this was clickjacking...but we will go with it until proven otherwise.
No comments:
Post a Comment