Canary Tokens

In this video, we’re going to be talking about canary tokens. Now if you are not familiar with canary tokens, canary token is essentially a tool that we could use as a sort of honeypot. These tend to be pretty easy to set up. And it’s generally used by malicious hackers and IT professionals alike.

So what is a canary token, though? Again, a canary token is a type of honeypot. A canary token could be triggered in a number of different ways. We could create image files. We can create an xls file, Word documents, URLs, QR codes, et cetera as a potential honeypot. So, say, if someone opens a particular image, opens the Excel file, opens a Word document or URL or QR code or things of that nature, it could potentially trigger this canary token. So once triggered, a email is going to be sent to you or whatever address that you put in when you set up your canary token.

And the email is going to contain a lot of basic information such as IP address, the type of browser that was used, et cetera. Canary tokens are really versatile in its deployment method. This is why canary tokens - or partially why they’re so powerful. So let’s take a look at setting up a canary token. Now, I’m over at canarytokens.org/generate. This is a free site. And it’s pretty easy. You can click on the documentation to read more about this.

But if you click on Select your token, we can see a lot of different tokens - web bug, DNS, unique IP address, custom image, Microsoft Word document, PDFs, file folder for Windows was open, custom exe, cloned website, SQL server, QR codes, SVN, AWS keys. We could do a fast redirect or slow redirect for a URL. So let’s do a Word document. And you want to provide a email address. That way the information, when it comes back, you could actually see who triggered it and what information there is. You also want to put down a good description, because depending how many canary tokens you send out, you want to know which canary token was actually triggered.

So I’m putting down this is a Word document canary token demo for EC. So now I know if this gets triggered what it was. So once you do that, you could download the Word file. And it looks like just any other word file. We could change the name on there. We don’t need to leave it that weird character. Also we can put whatever we want in the Word document to make it look legitimate. So if we go back here, we could actually see - this is one I ran earlier. We could see the source IP address. We could see it used HTTP. We could see the date. On there we could see the canary token name.

We could see the source IP, Mozilla Firefox. And we can see more information on there. We can see Zoom was installed. We can see that dot net, Office was installed on the system. So pretty cool tool to use. So again, it was just a Word document. I could put anything in that Word document, make it look completely legitimate, rename it. As soon as they open it up, I’m going to get an email with this information. So there’s a lot of deployment methods for this. Again, we can do we could have done it as a photo. We could put on a website.

We could put a canary token on our servers, so when someone tries to grab the file or use it. We could have done a USB drop with a file on it. Again, a lot of different deployment methods to use. So some of my favourite deployment methods were to use a Word document that says password list on there or a PDF file that says HR internal document. I’ve used - for people trying to scam me or people I work with saying, hey, this is so-and-so, your boss, I need $200 worth of iTunes cards. I want you to buy them, scratch off the back, take a photo of the code, and send it to me.

Well, what I did was I found these iTunes cards online doing a Google image search. They had the back scratched off already. So I took the photo, turned it into a canary token and sent it back off to them. So when they look at it to grab the number on the back, well, I got the IP address and other information I was looking for for whoever was attacking.

And other methods we could do are if you set your email to HTML, you can embed an image file in there to help ensure that as soon as they open the email that it’s going to trigger that canary token, because if you just upload as image, they may or may not click on it. So that’s another method to help ensure that that canary token does get triggered. So wrapping up, canary tokens are very efficient or effective. Canary tokens are effective way to gain more information on a malicious attacker or use it as just a general honeypot. They’re simple to deploy. Canary tokens tend to require little to no set up and, you can even run it from a browser.

They’re pretty flexible. There’s a number of ways you could deploy a token, including your URL, photos, Word docs, et cetera. And it helps give you better insight. IP addresses, browser type, and other information can be obtained when a canary token gets triggered. So this was about canary tokens. The next video, we’re going to talk about Bitcoin tracking. Thank you for watching. I’ll see you in the next video.