Canary embroidery is customizable tracking links that are useful for learning about who clicks on a link and where it is shared. Thanks to the way many apps download a URL preview for links shared in private chats, the Canaries can also call home when someone checks a private chat without clicking the link. Canary tokens are available in several useful types and can also be used via URL shorter.
What is a Canary Token?
A canary token is a unique link intended to detect when someone clicks on it, shares it or interacts with it in some way. You can think of it as a tripwire left by defenders to let them know when someone is hugging somewhere, they should not be on your network. Disguised as information invaders would be interested in accessing, the idea is to leave tokens on your network so that intruders send several messages when they start doing things they should not.
Honeypots, honeytokens and other types of attackers are not a new idea. Honeysucker uses false login data stored in an insecure file on the network, encouraging attacks to try to use them. A blue team looking at these fake credentials can then detect when someone tries to log in to a service on the network using them and warns them that an attacker has been granted access.
A honeypot is a more comprehensive way of catching attacks, creating false systems to attack when trying to learn as much as possible about the attacker. Honeypots will try to get an attacker to use whatever malware or tactics they use to exploit a system in a fake environment that is no risk. By making hackers do their worst against a fake network, defenders can learn more about who is behind an attack and what tools hackers use.
Canary tokens are designed to be as simple as anyone can use them. Depending on how you distribute them, they can detect when someone clicks on a link, opens an email, shares a file, or otherwise interacts with the tracking link.
Skype & Slack User Tracking with Kanarie Tokens
A unique feature of Kanarie tokens is that your goal does not have to click on the link to trigger the token. In an event reported by Bellingcat, a penetration test discovered that his phishing server had been detected after tagging a Skype server connecting to it. He learned that when a link is shared in some private messengers, a link preview is generated to display a thumbnail of the web page. This means that a Skype server actually connects to the Canary token URL, which gives us a result like that below.
When testing, I found that Slack messenger actually triggers a warning whenever a member of the chat connects to the channel the canariotok is divided into. This means that you share a link in a group chat with many different messengers. You can monitor when someone new joins the chat, even if no one clicks on the link. Although this is quite exciting, the link generated for canary balls still looks a little suspicious.
While Slack and Skype were some of the worst criminals, this trick also works in several other types of instant messaging.
To get around that Canarian tokens clearly link back to a site full of information about what they are, it is best to hide the link as much as possible. One way to hide URLs that are popular with hackers is to use URL abbreviations such as Goo.gl (which closes well on March 30, 2019) or Bit.ly. These services create a tunnel from a shortened URL to a much longer time, allowing users to more easily share long URLs.
We can abuse these by using a URL shorter to create a less suspicious look link to include in a Slack or Skype chat. If you own your own web domain you can also have your web domain path to the canary token URL, but for anyone who just wants to try this, Bit.ly works well. During the test, I was able to show that Canarian tokens hiding behind abbreviated URLs work almost exactly the same as posting the raw link.
Canary token can be used from any platform with a web browser, including Windows, MacOS and Linux. You need a web browser that can navigate to the Canary Heading website to create a link and then a device you want to track.
If you want to test the ability to monitor when your canary token is shared in a messenger that is vulnerable to generating URL previews, you can connect to another device via Slack, Skype, WhatsApp, Facebook Messenger, Wire or Apple iMessages.
Finally, you need an email address to receive Canarian token alerts. If you don't want to do that, you can still use the web interface, but don't lose the link or you won't get access to results.
Step 1: Creating a Canary Token
On the Canary token site, you can create a Canary Token by clicking on "Select your token" and choosing the type you want to create.
The simplest type of link to generate is a "Webbug / URL token" that will trigger a warning when someone clicks on the link or shares it. This is designed to work as a website link, but there are several other options to choose from.
A "DNS token" creates a warning whenever a web address is requested, regardless of whether the web page is actually loaded. A "Custom Image Web bug" acts as an image that can be loaded as part of a web page or email. By adding a web error to a public website or email, you can tell when someone is opening an email or web page by looking at when the image is requested.
The other available canary tokens are files that are reported when opened or browsed as Word documents, PDF files, or a Windows Folder form factor. For our first demonstration, click "Webbug / URL token."
Then enter the email address you want to receive the messages from. You can also skip this and just configure it through the web interface, but if you lose the link, you have a very difficult time interacting with canary fields that you create.
While this hides the type of browser I use, the Canary token can still see my IP address and about where I am. To take things to the next level, we can try to hide from the Canary Islands using a VPN. In this example, I used a VPN and Chrome extension to hide the system I use and my location more effectively. The Canary token believes that I am a Yahoo web spider from Hälsingborg, Sweden.
While other information may still be leaked, tools are available to hide from being properly identified by a canary token.
Step 4: Use URL Shorteners
Another way to use a canary token is to shorten it with a URL shorter. You can use services like Bit.ly or Goo.gl to hide the real URL, which in most cases does not change how the link behaves when shared in an online chat. To do this, you can go to Google URL Shorter or Bitly to shorten the link. As previously mentioned, Google will close the URL card service on March 30, 2019.
After adding your Canary token link to Bit.ly, you can use the abbreviation link on the same way you would use the original. Often, this abbreviated link will attract less suspicion than the super-long Canarian token URL.
An interesting feature of Canarian tokens is that they can warn you when someone controls a private chat. Every time someone logs in to a service like Slack, a Slack preview is generated. This means that if you drop a canary token into a Slack channel, you can get real-time updates when someone opens the chat even if they do not click on the link.
This behavior also often works through URL shorter, so you can release links that automatically report on someone looking at them without seeing as suspicious.
In the Canary Map Management Portal, you should see Slack or Skype hits trying to preview the URL if you published it raw or expand the link if you have written an abbreviated version.
You may find that this behavior will work over Slack, Skype, WhatsApp, Facebook Messenger, Wire or iMessage. While you get much more information about a goal if they click on the link, you can also give an insight into when a link has been placed in a sensitive chat when someone has seen or discussed the link.
While we have investigated the Webbug Canary token, there are a number of other useful symbols we can try. To see how they work, let's try the PDF file token.
Navigate to the Canary tokens website and create an "Adobe Reader PDF document". Fill in your e-mail address and a note to remind you what the symbol is for and download the PDF.
There are several good recommendations on how to use this token included on the site, but in this case we take a look at how the Canary token can bypass a user's choice to call home.
In a macOS system, the following warning opens when you open the PDF file in Adobe. To play that part of the target, I clicked "Block" to prevent the Canarian token from having opened the PDF file.
Unfortunately it does not matter It does not matter that I told Adobe to "block" the site because it is already connected! Adobe went ahead and pinged on the Canary token server before it even sent us the alert, meaning it didn't really matter that we clicked on "blocks". The holder can still see that I have opened the document, despite my efforts to prevent it.
There are a number of creative ways to use these tokens to discover user actions, this is just the beginning!
If you want to be creative with Canarian tokens, there is no limit to how you can embed them to detect suspicious behavior. One popular suggestion is to get a startup script to request the URL when a user logs in and notifies you every time a computer is opened along with the IP address of the network to which it is connected.
While it is possible to hide from these tracking techniques it can make it difficult. This allows Canarian tokens to be flexible and easy to distribute link tracking solutions. If this type of tracking runs out, you should know that advertisers and other online businesses routinely use these and even more sophisticated tracking techniques.
I hope you had this guide to create and use tracking links! If you have any questions about this guide in the Canary Islands, or if you have a comment, please ask it below or contact me on Twitter @ KodyKinzie .