If you’re a content creator, you may be targeted by scammers. I’m here to teach you how to defend yourself.
@August 30, 2022
To all content creators out there…
If you’re a content creator, please read on. I want to teach you something that, if used correctly, might let you know if you’ve been scammed immediately when it happens. This method of identifying if you’ve been scammed is simple, free, and uses something that cybersecurity professionals the world over love and trust dearly.
But first, who is writing this post and why should I care? Hello! I’m Matt and I go by HuskyHacks. This is my note repo/blog. I’m a cybersecurity practitioner with about 10 years of experience in Information Technology and Cybersecurity. I am primarily an offensive security practitioner or red teamer, which means it is my job to emulate cyber criminals and train cyber defenders. I’ve practiced many different types of attacks to emulate how they are carried out by real cyber criminals and teach defenders how to counter them.
Today, I want to teach you a little trick that I’ve learned over the years that can help identify these attacks while they are in progress.
Background
This week, friend and colleague of mine John Hammond posted the following Twitter thread:
John, a celebrated security researcher, was targeted by a scam that sought to steal his credentials, passwords, crypto wallets, and many other things he may keep on his personal PC. Unfortunately for the cyber criminal, John is a wizard when it comes to identifying these kinds of targeted attacks and he was able to prevent it from happening. He made this Twitter thread as a result to show people how these scams tend to unfold and spread the word.
John’s work to inform his fellow content creators of these scams is admirable and we’re lucky he was able to identify it as a scam. Unfortunately, these scams are designed to short circuit your brain’s capacity for logic, so even people who are vigilant and otherwise informed of these kinds of scams can still fall for them!
I’d like to offer one additional thing that may help identify if you’ve fallen victim to this type of scam. It’s called a canary token and we of the cybersecurity community absolutely love them.
What is a Canary Token?
In the old days, miners would carry a live canary bird into the mine as an early warning mechanism. If the canary died while the miners were working in the mines, they could identify if carbon monoxide levels were too high to sustain life. The term “canary in the coal mine” refers to this, which is a euphemism that refers to an early indicator of trouble.
The canary token expands on this concept to offer an early warning mechanism for cyber threats. Here’s how it works:
Imagine that a cyber criminal has gained access to your PC and is downloading all of your personal files. Pictures, Word documents, emails, text files, videos, everything! And then back on their own cyber criminal server, they open these files and look for juicy information that could be used to extort you.
But what if one of these files was not actually one of your real files? What if it was a decoy that, when opened, beacons out to a website and says “HEY I’M A DECOY FILE AND I WAS JUST OPENED!” Then, that website catches that message and sends you an email that says “This file was just opened by this IP address!”
You would know, in real time, that a hacker has stolen and opened your files. This is the concept of the canary token.
Canary tokens are easy to set up, free, and extremely effective. I’m going to show you how to set one up.
Generating a Canary Token
First, it helps to understand a little more about that malware that John Hammond ran into and what it might be looking for. The malware John was targeted by is a family of malware called the RedLine Credential Stealer. John covers what this means in his video/thread, but basically it is a one-shot malware program that, when executed, searches through your computer’s files, identifies any with juicy titles like “passwords” and “cryptowallet” and “credentials”, and blasts them off to a server that the criminal controls. It’s an extremely effective way to steal crypto wallets, passwords, documents, and other important files from your computer.
I did some research on the RedLine stealers a while back and identified what they usually look for. Check out the network traffic coming from one of them:
This means that the stealer was looking for files with .txt, .doc, key, wallet, and seed in the filename . Files with these names might mean that, for better or worse, the user is storing passwords, crypto wallets, or other sensitive information on their computer.
So, let’s use this fact against them!
Go to https://canarytokens.org/generate#
CanaryTokens.org is maintained by Thinkst Canary, a cybersecurity firm that focuses on active defense.
In the CanaryTokens menu, drop the Select your Token menu and examine the options. There are plenty to choose from, but let’s keep it simple today and make a Microsoft Word document:
Next, provide your email so you will get an alert when the canary token is triggered. Also, add a note about what this canary token is for:
When this looks good, create the Canarytoken! On the next screen, click to download it:
The canary token is now in your Downloads folder. Critically important: make sure to name this something that would look like something a cyber criminal would care about! I’m going to call it “passwords.docx”:
Now, test your canary by opening it. If you open it, it will look like there’s nothing inside:
But then, check the email you registered on the CanaryToken site:
The Word document contains special code that beacons out to the CanaryToken website and says “HEY THIS FILE WAS OPENED!” Then, CanaryToken sends you the notification email.
The email has more information about what triggered the alert:
That’s all you need to do! Make sure you put this file somewhere in your files and keep it safe. If the day ever comes that you find yourself to be a victim of a cyber attack, this simple little file could inform you immediately. And the sooner you know, the sooner you can change your passwords, cancel credit cards, and protect yourself.
Conclusion
I wanted to get this note out quickly to add to John’s excellent work of informing the community. I hope you’ve now learned a little about how these attacks are conducted and what you can do to identify, in real time, if you’ve fallen victim to one.
Until next time, keep your head on a swivel!
-Husky
— — — — — — > Back to Notes
🌐 Where You Can Find Me
🐦 Twitter | 📡 Main Blog | 👽 GitHub | 📺 YouTube
📒Recent Notes
8/30/22 Content Creators, I Will Teach You Cyber Jiu-Jitsu
8/12/22 The Responsible Red Teamer’s Manifesto
7/30/22 On Patching Binaries
7/16/22 MS-Interloper: On the Subject of Malicious MSIs
4/22/22 Failing All The Way To Token Manipulation, Part 1
4/16/22 COM Hijacking Creative Cloud
