CAPEC-222: iFrame Overlay
In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.
Last updated
Overview
While being logged in to some target system, the victim visits the adversarys' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Craft an iFrame Overlay page] The adversary crafts a malicious iFrame overlay page.
- The adversary leverages iFrame overlay capabilities to craft a malicious iFrame overlay page.
- Step 2Exploit
[adversary tricks victim to load the iFrame overlay page] adversary utilizes some form of temptation, misdirection or coercion to trick the victim to loading and interacting with the iFrame overlay page in a way that increases the chances that the victim will visit the malicious page.
- Trick the victim to the malicious site by sending the victim an e-mail with a URL to the site.