- To create a link that is designed to lure an attacker into clicking it
- To receive an email any time the link is clicked
- To further disguise the link using Route53 (making it look as realistic and enticing as possible)
CanaryTokens.org is a third party website. The idea behind the website is to help you know when an attacker has gained access to your systems by sending you an email alert. The email alert is triggered by an attacker visiting a link that you've purposefully planted for this very purpose.
Over at CanaryTokens.org they provide a number of really smart ways to trigger the email alert, this article focuses on using an http link. You can also buy stuff from them, so if you're looking for more, see Canary.Tools.
An Example Scenario
Imagine that you're an attacker and you've hacked into my web mail. You're now looking for passwords or other high value information. If you see an email titled "Customer Passwords" containing a link, you'll most likely think:
- What a dumb-ass for not securely storing passwords and
What you (as the attacker) don't realise, is that I used CanaryTokens.org to create that link, and that by visiting it, you'll trigger an alert to be sent to one of my other email addresses. I'll now know that there's a problem and take swift action.
Using CanaryTokens.org to Create the Link
Step 1 - Go to the website and generate a token
- Browse to CanaryTokens.org
- Enter an email address for notifications of when the link is clicked
- Provide a reminder note to include in any notification emails (so you know which link was clicked)
- Click the Generate Token button
Step 2 - Copy your CanaryToken
- Open the Web Bugs section (by clicking the words Web Bugs)
- Copy the unique URL
Step 3 - Place the link somewhere designed to be irresistible to an attacker
- Place the link anywhere an attacker might look
- Generate new links for each place you want to put links
- For this example, I'm using an email to myself
You've created a link and if anyone visits it, you'll be emailed. Now if you ever receive an email saying the link has been visited, then you know you've compromised!
Ok... Life Is Good... Why Do I Need Route53?
So, life is good, but we can make it even better... the problem is, the link doesn't look that convincing.
Over at CanaryTokens.org they explain that you can customise the link. As long as the link contains the string of gibberish then it'll still work. This means we can change it to look more realistic by changing the URL to include govt-customers/server-passwords.html .
Ok, we've done better, but we're still hoping our attacker is pretty dumb and going to click a link that includes "Canary Tokens".
This is where Route53 comes in to it. Instead of the link pointing to CanaryTokens.com, using Route53 you can point it to one of your own domains. This is done by creating a CNAME record on an existing domain that you control. By pointing the CNAME to CanaryTokens.com you can construct a link that uses your domain instead of CanaryTokens.com. This example creates private.awsGunForHire.com and points it to CanaryTokens.com.
Step 1 - In the Route53 Management Console, go to the record sets for your domain
- Select Hosted Zones
- Select the domain to use in the link
Step 2 - Create a new record set
- Click the Create Record Set button at the top
- In the Name field on the right, enter the name you'd like to use. I've gone with private.
- Change the Type drop down to CNAME
- In the Value field enter canarytokens.com.
- Click the Create button
Step 3 - Alter your CanaryTokens link
Change your CanaryTokens link to use your domain. The example above created private.awsGunForHire.com. I can now use this for any Canary Token link. So my email to myself now looks like:
Mission accomplished! We now have a link that looks pretty genuine, and should fool all but the most canny of attackers.
When the link is visited, the DNS record for private.awsGunForHire.com will resolve to CanaryTokens.com. Because the server for CanaryTokens.com answers any web request coming to its IP address, it'll respond just as if the link had contained CanaryTokens.com.