January 11, 2016 By Douglas Bonderud 2 min read

In an effort to protect citizens’ digital privacy, the European Union (EU) has opted for strict online policies that give users choice over how much — if any — of their personal data a website is allowed to collect. One such regulation is the Cookie Law, which requires site owners to display a warning notification.

According to SecurityWeek, however, clever clickjackers have taken a bite out of this legislation and used the EU’s own rules against it to misdirect traffic. This one is sure to leave a bad taste.

The Cookie Law Gets Jacked Up

Clickjacking isn’t a new malvertising technique but remains popular because it’s an easy hack to pull off and can mean big revenues for determined attackers. It works like this: Malicious actors layer a redirect advertisement over a legitimate piece of website content but make it appear as though no such advertisement exists. This can be accomplished by setting the ads’ opacity to zero or stretching the content to extend over other links and pictures. When users click on what they believe is a legitimate ad or link, they’re actually clickjacked and sent somewhere they had no intention of going.

The big benefit for clickjackers? They generate steady revenue from unsuspecting ad companies looking for real user clicks instead of those generated by bot surfing programs. And since there’s no way to tell if users intended to click on a specific link, even bad redirections count as good money.

With clickjacking still so profitable, it’s no wonder big companies and even government regulations are being targeted. As noted by Softpedia, for example, LinkedIn was recently made aware of a clickjacking scam enabled by its blog post publishing option. While HTML tags used to load CSS classes are well-screened by the platform, LinkedIn does allow users to pick from any of its own style sheets — some of which permit the stretching of links to cover the entire page area. The result is legitimate-seeming blog posts that are in fact one massive link.

Not So Am-EU-sing

So how did clickjackers play fast and loose with EU regulations? Simple: They took advantage of mandatory notifications. Any Web pages that serve traffic to European visitors must by law carry a notification that gives users the option to accept or reject the use of cookies during their browsing session. As noted by SC Magazine, cybercriminals layered an advertisement over this notification, then made their ad transparent.

The result? Users looking for enhanced protection were instead redirected to an ad of the clickjacker’s choosing. What’s interesting to note here is that users — aside from being momentarily inconvenienced — encountered little in the way of negative impact. Legitimate advertisers, however, were scammed into paying out for false clicks while scammers redirected traffic.

Ultimately, the EU’s cookie law is trying to make the Internet a safer place for users, but as the recent clickjacking scam demonstrates, it’s almost impossible to legislate privacy. Consumers aren’t trained to look for strange links in expected locations, while advertisers have limited reach when it comes to ensuring click traffic intent matches action. For now, that’s the way the cookie crumbles.

More from

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today