Victim thinks they are playing a game.
Tries to Drag and Drop the ball down into the Basket.
Victim Drags the ball down into the basket and clicks ‘Go’ and the game is complete.
What the Victim doesn’t know is that they are actually Dragging sensitive information from their account which is loaded in an iFrame into a text field.
Below is the Attackers PHP file hosted on their own server containing the Victims data that they unintentionally sent.
With ClickJacking the emphasis is on the opacity;
Above this is set to 0 and below it is set to 0.5, meaning you can see the iFrame.
With this attack the Victim would have to be logged into the intended target website for this attack to work and for the attacker to gain the admin information they want.
Within the iFrame that website itself was not loaded but the actual URL to the source code.
This is done because within many Websites the CSRF Token is stored inside the source code. So not only do you get the Victims information but attacker can also obtain the CSRF Token and use this to carry out another attack called Cross Site Request Forgery.