Hackers can steal your accounts, and all it takes is a double-click — don’t fall for this new form of clickjacking

As the name suggests, clickjacking is an attack method where hackers, scammers or other cybercriminals hijack your clicks on one website to perform malicious actions on another site. For instance, you might think you’re clicking a button on the site you’re currently browsing, and that click will then be used to buy something on another entirely different site.

Now, hackers have added another click to this attack method to get around the fact that modern browsers no longer send cross-site cookies. As such, this threat, which had almost died out, is now once again being used by hackers in their attacks.

Here’s everything you need to know about double-clickjacking and how to stay safe from this emerging threat.

From phishing to double-clickjacking

In a new blog post, Yibelo explains how double-clickjacking works, explaining that while this may be a small change, “it opens the door to new UI manipulation attacks that bypass all known clickjacking protections.”

So far, in the attacks using this new variation on clickjacking, hackers lead potential victims to a phishing site first. Once there, a standard CAPTCHA notification appears but with a twist: instead of writing out scrambled text or identifying animals or objects in photos, users are prompted to double-click a button to prove they are human.

In the background between these two clicks, the hackers using this attack method have added extra functionality to load a sensitive page, such as an OAuth authorization confirmation. While a user’s first click closes the top window, their second click goes to the sensitive page to approve authorization, grant permission or complete another action.

Interestingly enough, it doesn’t matter how long it takes a user to perform their second click.

According to Yibelo, double-clickjacking can be used to obtain OAuth and API permissions on most major websites. However, this new attack method can also be used to perform one-click account changes like disabling security settings, deleting an account, authorizing access for money transfers, confirming transactions and more. Likewise, it can even be used to attack browser extensions.

How to stay safe from clickjacking

Defending against this new form of clickjacking is something that Google, Microsoft, Apple, Mozilla and other browser makers will need to implement in future updates. However, you can still take some steps to avoid falling victim to a cyberattack that uses this attack method.

For starters, you always want to be careful where you click online. Whether it’s a link in an email, a text message or even a button on a website, think before you click. As part of this, you should also avoid navigating to suspicious sites such as giveaways that are too good to be true, like those ‘win a free iPhone’ ones.

To keep your devices safe, you should use the best antivirus software on your Windows computer, the best Mac antivirus software on your Apple computer and one of the best Android antivirus apps on your smartphone. There isn't an iPhone equivalent of these Android antivirus apps due to Apple’s own restrictions, but Mac antivirus software from Intego can scan an iPhone or iPad for malware when connected to a Mac via USB.

Now that hackers, scammers and other cybercriminals are again using clickjacking in their attacks, expect browser makers and even websites themselves to start adding new features to protect against this attack method. Until these start rolling out, though, it’s up to you to practice good cyber hygiene, and whatever you do, don’t double-click on any CAPTCHAs you come across.

More from Tom's Guide

• Macs under threat from malicious ads spreading malware — don’t fall for this
• The FBI now recommends using an ad blocker — here’s why
• Over 600,000 Chrome users at risk after 16 browser extensions compromised by hackers