WEBVTT

00:01.000 --> 00:03.520
In this video, we're taking a look at Canary tokens.

00:04.080 --> 00:12.360
Now, Canary tokens are a pretty useful thing to use for figuring out where someone is and kind of the

00:12.360 --> 00:13.720
devices you're using.

00:14.240 --> 00:18.000
I use these a lot when I do investigations, especially on scammers.

00:18.920 --> 00:20.280
So let's take a look.

00:21.160 --> 00:26.760
This one is canary tokens for generate where we can generate these canary tokens.

00:26.760 --> 00:32.200
And essentially what happens is when these tokens are triggered it'll send us an email alert.

00:32.280 --> 00:35.400
So if I go here I can select a token.

00:35.800 --> 00:44.400
We can see all sorts of tokens here web bug DNS, AWS keys, a zero login certificates, sensitive command

00:44.400 --> 00:55.200
tokens, word docs, Excel, Kubernetes VPN, WireGuard QR codes, custom web bugs, PDFs, etc., etc..

00:55.880 --> 01:04.850
So um, for certain scammers, I've used things like word docs or Excel files or PDF files.

01:04.850 --> 01:06.890
I labeled it payroll, for example.

01:07.690 --> 01:09.890
So when they clicked on it, it would trigger.

01:10.370 --> 01:15.170
And then and then I would get the IP address in that.

01:15.970 --> 01:25.370
So on a defensive side this could be used for things like figuring out I use these typically for um

01:25.370 --> 01:27.450
scams for like hookup scams and that.

01:27.450 --> 01:29.650
So someone says, hey, send me money.

01:30.050 --> 01:34.210
Okay, so what I'll do is I will typically get their email address.

01:34.210 --> 01:36.370
We'll do, say, a custom web bug.

01:37.010 --> 01:41.170
And then for the email address you put the email address that you wanted to go to.

01:41.330 --> 01:43.450
Now reminder I always use a reminder.

01:43.490 --> 01:47.810
Things like, uh, this is for a hookup scam.

01:49.130 --> 01:54.210
I'll put a question mark because it can 100% identify whether it is or not.

01:56.050 --> 01:59.330
And um, I'll put down.

02:02.750 --> 02:07.510
I'll typically put the username that they're using and I'll put the email address down.

02:12.070 --> 02:17.350
And what the scam typically is entail they want $50 from a visa.

02:18.750 --> 02:22.390
And then we'll you can put whatever image you want in here.

02:22.390 --> 02:24.710
So I could put like a Where's Waldo.

02:25.590 --> 02:31.430
Um, in this case it's really not going to matter when they trigger the the link, it'll send the address.

02:31.470 --> 02:33.830
And then we do create canary token.

02:34.350 --> 02:40.390
And then if they go to this link here, it'll trigger it and they'll get the information and or we'll

02:40.390 --> 02:41.710
get the information rather.

02:41.950 --> 02:43.590
Now I'll show you what that looks like in a minute.

02:43.630 --> 02:49.550
Now if you send someone this link, it'll usually it'll kind of trigger and go, uh, what the.

02:49.550 --> 02:50.630
What the heck is this?

02:51.470 --> 02:53.950
So I'll usually use a URL shortener.

02:53.990 --> 02:57.270
Like, if I take this, I can go in here.

03:01.590 --> 03:05.080
And then it gives me the short URL and they have no idea what it is.

03:06.640 --> 03:11.160
So I'll typically put in an email like this.

03:11.200 --> 03:16.160
Like we'll have an image that doesn't quite load and go, hey, here's a steam code that you wanted.

03:16.400 --> 03:18.840
Use this link and it links to the canary token.

03:18.840 --> 03:22.360
So when it does trigger, it actually looks like.

03:22.800 --> 03:24.960
Let's see if I can switch the image here.

03:25.000 --> 03:26.000
That's not working.

03:27.120 --> 03:28.560
It'll look like this here.

03:28.960 --> 03:34.240
So we have token reminder I have the email addresses that they put down here.

03:34.600 --> 03:37.400
Um I put the location that they said they were in.

03:37.440 --> 03:43.440
They said they were in San Francisco and this was a financial scam, uh, for this person.

03:43.880 --> 03:44.720
Now, they triggered it.

03:44.760 --> 03:46.720
It gave me the IP addresses here.

03:47.640 --> 03:51.040
And then I can see that they're on Android 11.

03:51.040 --> 03:52.640
I can see the type of device they have.

03:52.640 --> 03:55.440
I can see that they use Chrome when they triggered it.

03:55.440 --> 03:57.800
And I could see the version of Chrome.

03:58.320 --> 04:04.460
Now of course I'll take the IP address, I'll feed it into, see if it's a VPN or proxy.

04:04.460 --> 04:08.820
If it's not, then it then I'll run it to get the actual location.

04:09.980 --> 04:15.820
And if the location doesn't match up where the token got triggered, then that's a huge red flag.

04:16.180 --> 04:19.020
And typically these will actually be Nigeria.

04:19.020 --> 04:25.740
This one I if I remember right, it was uh, I think it was Nova Scotia, which is interesting.

04:25.740 --> 04:27.140
That was the first time for that.

04:27.420 --> 04:33.340
But this is the type of thing that on the defensive side, again, that you could use kind of verify

04:33.340 --> 04:34.580
someone's location.

04:34.620 --> 04:40.540
Now, on the flip side, you need to be careful when people send you weird links.

04:40.820 --> 04:48.940
Uh, always be careful about links or, or word docs, PDF docs and whatnot that they send.

04:49.220 --> 04:52.020
It could either be a canary token or it could be something malicious.

04:52.020 --> 04:58.300
So you do want to feed it into things like, uh, VirusTotal, hybrid analysis and whatnot and check

04:58.300 --> 05:00.820
those files before you actually run them.

05:01.740 --> 05:03.660
So this is about Canary tokens.

05:03.660 --> 05:04.940
Thank you so much for watching.

05:04.980 --> 05:05.980
I'll see you next video.