January 11, 2016 By Douglas Bonderud 2 min read

In an effort to protect citizens’ digital privacy, the European Union (EU) has opted for strict online policies that give users choice over how much — if any — of their personal data a website is allowed to collect. One such regulation is the Cookie Law, which requires site owners to display a warning notification.

According to SecurityWeek, however, clever clickjackers have taken a bite out of this legislation and used the EU’s own rules against it to misdirect traffic. This one is sure to leave a bad taste.

The Cookie Law Gets Jacked Up

Clickjacking isn’t a new malvertising technique but remains popular because it’s an easy hack to pull off and can mean big revenues for determined attackers. It works like this: Malicious actors layer a redirect advertisement over a legitimate piece of website content but make it appear as though no such advertisement exists. This can be accomplished by setting the ads’ opacity to zero or stretching the content to extend over other links and pictures. When users click on what they believe is a legitimate ad or link, they’re actually clickjacked and sent somewhere they had no intention of going.

The big benefit for clickjackers? They generate steady revenue from unsuspecting ad companies looking for real user clicks instead of those generated by bot surfing programs. And since there’s no way to tell if users intended to click on a specific link, even bad redirections count as good money.

With clickjacking still so profitable, it’s no wonder big companies and even government regulations are being targeted. As noted by Softpedia, for example, LinkedIn was recently made aware of a clickjacking scam enabled by its blog post publishing option. While HTML tags used to load CSS classes are well-screened by the platform, LinkedIn does allow users to pick from any of its own style sheets — some of which permit the stretching of links to cover the entire page area. The result is legitimate-seeming blog posts that are in fact one massive link.

Not So Am-EU-sing

So how did clickjackers play fast and loose with EU regulations? Simple: They took advantage of mandatory notifications. Any Web pages that serve traffic to European visitors must by law carry a notification that gives users the option to accept or reject the use of cookies during their browsing session. As noted by SC Magazine, cybercriminals layered an advertisement over this notification, then made their ad transparent.

The result? Users looking for enhanced protection were instead redirected to an ad of the clickjacker’s choosing. What’s interesting to note here is that users — aside from being momentarily inconvenienced — encountered little in the way of negative impact. Legitimate advertisers, however, were scammed into paying out for false clicks while scammers redirected traffic.

Ultimately, the EU’s cookie law is trying to make the Internet a safer place for users, but as the recent clickjacking scam demonstrates, it’s almost impossible to legislate privacy. Consumers aren’t trained to look for strange links in expected locations, while advertisers have limited reach when it comes to ensuring click traffic intent matches action. For now, that’s the way the cookie crumbles.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today