Clickjacking and Low-Intention Traffic
In affiliate marketing, web sites only get paid if a user clicks through to a merchant’s web site. This creates an obvious incentive for affiliates to get clicks by any means necessary – to fake clicks, to automate clicks, or to get users to “click” on affiliate links when they are actually trying to do something else. This article describes clickjacking and other attacks that send merchants low-intention traffic. Common to all these attacks is that users didn’t want to visit the merchant’s site and didn’t know they would be brought there.
The basics of clickjacking
The word “clickjacking” combines the words “click” and “hijacking”, reflecting the essence of this technique to convert (less charitably, hijack) a click intended to do one thing, and cause that click to do something else or something additional. For example, in clickjacking, an empty part of a page could be turned into a link, so that if a user happens to click there, an affiliate link is invoked. But how many users would happen to click an empty part of the page? A more effective method of clickjacking modifies existing clickable objects, such as links and buttons. Some attacks change those clickable objects to open the affiliate link only (and not to do what the user expected). Other attacks cause a single click to do two things – often a link continues to function in its expected way, but a JavaScript event handler causes the link also to open a second destination. An alternative approach overlays a web page with a transparent object. When a user attempts to interact with the web page, the transparent object intercepts the click.
Types of clickjacking attacks
For an attacker, clickjacking can serve a variety of purposes:
- Generate fake clicks to be sold PPC (pay-per-click)
- Invoke affiliate links, thereby claiming affiliate commission if a user buys the promoted product
- Redirect to competitor websites
- Distribute adware or malware
- Generate fake likes for social media posts (such as on Facebook or Instagram)
Ultimately anyone wanting fake clicks can potentially get them from clickjacking.
How to prevent clickjacking attacks?
A web site only becomes a source of clickjacking traffic if the clickjacking JavaScript can attach to that site. There are three known ways this can occur. First, a web site may intentionally install code from a clickjacker – perhaps because the clickjacker pays to do so, or potentially because the clickjacker claims the code has some other benefit. Second, a web site may install code from a bona fide ad network (or other object or embed), and that ad code either directly or indirectly in turn brings in a clickjacker. Third, client-side malware can add a clickjacker to pages the user browses. As to the first and second paths, a web site is well positioned to fix the problem by scrutinizing the code it places in its site. As to the third, a web site has much less control – but since these problems affect all sites browsed on infected computers, most users would eventually recognize that the problem is with their computer (affecting any or most sites viewed on that computer) rather than with the web sites themselves.
Separately, diligent merchants and advertisers want to keep their brands and offers out of clickjacking traffic. Visible Performance Technologies (VPT) has built automation to help with this. Exploring the dark corners of the web, we have found a variety of sites known to engage in clickjacking. We check these clickjacking sites frequently, from a variety of computers in a variety of locations, to check what offers they show. When we find a clickjacking site promoting one of our clients, we let the client know – and we include screenshots and even packet logs sufficient to leave no doubt about what occurred. By finding non-compliant behaviors, VPT helps clients protect their brands, show their offers to the right users, and increase advertising ROI.
