In an effort to protect citizens’ digital privacy, the European Union (EU) has opted for strict online policies that give users choice over how much — if any — of their personal data a website is allowed to collect. One such regulation is the Cookie Law, which requires site owners to display a warning notification.

According to SecurityWeek, however, clever clickjackers have taken a bite out of this legislation and used the EU’s own rules against it to misdirect traffic. This one is sure to leave a bad taste.

The Cookie Law Gets Jacked Up

Clickjacking isn’t a new malvertising technique but remains popular because it’s an easy hack to pull off and can mean big revenues for determined attackers. It works like this: Malicious actors layer a redirect advertisement over a legitimate piece of website content but make it appear as though no such advertisement exists. This can be accomplished by setting the ads’ opacity to zero or stretching the content to extend over other links and pictures. When users click on what they believe is a legitimate ad or link, they’re actually clickjacked and sent somewhere they had no intention of going.

The big benefit for clickjackers? They generate steady revenue from unsuspecting ad companies looking for real user clicks instead of those generated by bot surfing programs. And since there’s no way to tell if users intended to click on a specific link, even bad redirections count as good money.

With clickjacking still so profitable, it’s no wonder big companies and even government regulations are being targeted. As noted by Softpedia, for example, LinkedIn was recently made aware of a clickjacking scam enabled by its blog post publishing option. While HTML tags used to load CSS classes are well-screened by the platform, LinkedIn does allow users to pick from any of its own style sheets — some of which permit the stretching of links to cover the entire page area. The result is legitimate-seeming blog posts that are in fact one massive link.

Not So Am-EU-sing

So how did clickjackers play fast and loose with EU regulations? Simple: They took advantage of mandatory notifications. Any Web pages that serve traffic to European visitors must by law carry a notification that gives users the option to accept or reject the use of cookies during their browsing session. As noted by SC Magazine, cybercriminals layered an advertisement over this notification, then made their ad transparent.

The result? Users looking for enhanced protection were instead redirected to an ad of the clickjacker’s choosing. What’s interesting to note here is that users — aside from being momentarily inconvenienced — encountered little in the way of negative impact. Legitimate advertisers, however, were scammed into paying out for false clicks while scammers redirected traffic.

Ultimately, the EU’s cookie law is trying to make the Internet a safer place for users, but as the recent clickjacking scam demonstrates, it’s almost impossible to legislate privacy. Consumers aren’t trained to look for strange links in expected locations, while advertisers have limited reach when it comes to ensuring click traffic intent matches action. For now, that’s the way the cookie crumbles.