If you’re a content creator, you may be targeted by scammers. I’m here to teach you how to defend yourself.
@August 30, 2022
To all content creators out there…
If you’re a content creator, please read on. I want to teach you something that, if used correctly, might let you know if you’ve been scammed immediately when it happens. This method of identifying if you’ve been scammed is simple, free, and uses something that cybersecurity professionals the world over love and trust dearly.
But first, who is writing this post and why should I care? Hello! I’m Matt and I go by HuskyHacks. This is my note repo/blog. I’m a cybersecurity practitioner with about 10 years of experience in Information Technology and Cybersecurity. I am primarily an offensive security practitioner or red teamer, which means it is my job to emulate cyber criminals and train cyber defenders. I’ve practiced many different types of attacks to emulate how they are carried out by real cyber criminals and teach defenders how to counter them.
Today, I want to teach you a little trick that I’ve learned over the years that can help identify these attacks while they are in progress.
This week, friend and colleague of mine John Hammond posted the following Twitter thread:
John, a celebrated security researcher, was targeted by a scam that sought to steal his credentials, passwords, crypto wallets, and many other things he may keep on his personal PC. Unfortunately for the cyber criminal, John is a wizard when it comes to identifying these kinds of targeted attacks and he was able to prevent it from happening. He made this Twitter thread as a result to show people how these scams tend to unfold and spread the word.
John’s work to inform his fellow content creators of these scams is admirable and we’re lucky he was able to identify it as a scam. Unfortunately, these scams are designed to short circuit your brain’s capacity for logic, so even people who are vigilant and otherwise informed of these kinds of scams can still fall for them!
I’d like to offer one additional thing that may help identify if you’ve fallen victim to this type of scam. It’s called a canary token and we of the cybersecurity community absolutely love them.
What is a Canary Token?
In the old days, miners would carry a live canary bird into the mine as an early warning mechanism. If the canary died while the miners were working in the mines, they could identify if carbon monoxide levels were too high to sustain life. The term “canary in the coal mine” refers to this, which is a euphemism that refers to an early indicator of trouble.
The canary token expands on this concept to offer an early warning mechanism for cyber threats. Here’s how it works:
Imagine that a cyber criminal has gained access to your PC and is downloading all of your personal files. Pictures, Word documents, emails, text files, videos, everything! And then back on their own cyber criminal server, they open these files and look for juicy information that could be used to extort you.
But what if one of these files was not actually one of your real files? What if it was a decoy that, when opened, beacons out to a website and says “HEY I’M A DECOY FILE AND I WAS JUST OPENED!” Then, that website catches that message and sends you an email that says “This file was just opened by this IP address!”
You would know, in real time, that a hacker has stolen and opened your files. This is the concept of the canary token.
Canary tokens are easy to set up, free, and extremely effective. I’m going to show you how to set one up.
Generating a Canary Token
First, it helps to understand a little more about that malware that John Hammond ran into and what it might be looking for. The malware John was targeted by is a family of malware called the RedLine Credential Stealer. John covers what this means in his video/thread, but basically it is a one-shot malware program that, when executed, searches through your computer’s files, identifies any with juicy titles like “passwords” and “cryptowallet” and “credentials”, and blasts them off to a server that the criminal controls. It’s an extremely effective way to steal crypto wallets, passwords, documents, and other important files from your computer.
I did some research on the RedLine stealers a while back and identified what they usually look for. Check out the network traffic coming from one of them:
This means that the stealer was looking for files with
seed in the filename . Files with these names might mean that, for better or worse, the user is storing passwords, crypto wallets, or other sensitive information on their computer.
So, let’s use this fact against them!
Know. Before it matters
Copy this credential pair to your clipboard to use as desired: This canarytoken is triggered when someone uses this credential pair to access AWS programmatically (through the API). The key is unique. i.e. There is no chance of somebody guessing these credentials. If this token fires, it is a clear indication that this set of keys has "leaked".
CanaryTokens.org is maintained by Thinkst Canary, a cybersecurity firm that focuses on active defense.
In the CanaryTokens menu, drop the Select your Token menu and examine the options. There are plenty to choose from, but let’s keep it simple today and make a Microsoft Word document:
Next, provide your email so you will get an alert when the canary token is triggered. Also, add a note about what this canary token is for:
When this looks good, create the Canarytoken! On the next screen, click to download it:
The canary token is now in your Downloads folder. Critically important: make sure to name this something that would look like something a cyber criminal would care about! I’m going to call it “passwords.docx”:
Now, test your canary by opening it. If you open it, it will look like there’s nothing inside:
But then, check the email you registered on the CanaryToken site:
The Word document contains special code that beacons out to the CanaryToken website and says “HEY THIS FILE WAS OPENED!” Then, CanaryToken sends you the notification email.
The email has more information about what triggered the alert:
That’s all you need to do! Make sure you put this file somewhere in your files and keep it safe. If the day ever comes that you find yourself to be a victim of a cyber attack, this simple little file could inform you immediately. And the sooner you know, the sooner you can change your passwords, cancel credit cards, and protect yourself.
I wanted to get this note out quickly to add to John’s excellent work of informing the community. I hope you’ve now learned a little about how these attacks are conducted and what you can do to identify, in real time, if you’ve fallen victim to one.
Until next time, keep your head on a swivel!
— — — — — — > Back to
🌐 Where You Can Find Me
TryHackMe | Weasel
I think the data science team has been a bit fast and loose with their project resources.
The Taggart Institute: Master Your Craft
Great hackers are good people. Many courses on red teaming will teach you the technical process of how to exploit targets. But seldom do courses cover what it means to carry out the role of a red teamer responsibly.
TryHackMe | Takedown
We have reason to believe a corporate webserver has been compromised by RISOTTO GROUP. Cyber interdiction is authorized for this operation. Find their teamserver and take it down.
Practical Malware Analysis & Triage
Arm yourself with knowledge and bring the fight to the bad guys! Practical Malware Analysis & Triage (PMAT) brings the state of the art of malware analysis to you in engaging instructional videos and custom made, practical labs. Welcome to Practical Malware Analysis & Triage.
GitHub - HuskyHacks/PMAT-labs: Labs for Practical Malware Analysis & Triage
Welcome to the labs for Practical Malware Analysis & Triage. Read this carefully before proceeding. This repository contains live malware samples for use in the Practical Malware Analysis & Triage course (PMAT). These samples are either written to emulate common malware characteristics or are live, real world, "caught in the wild" samples.
📝Recent Blog Posts
TryHackMe: Takedown Walkthrough
This is the official walkthrough for this room. I did not cover every single detail available but do cover enough to get from start to finish. Obviously, major spoilers are ahead from here on out.
Malware Analysis Labs: Internal Network vs Host-Only
"If Host-Only mode allows a VM to route to the physical host in some circumstances, can it really be considered safe for malware analysis?" I applaud my students for approaching me about this because it means they are thinking critically about safety during malware analysis.
How To HACK Your EX'S SOCIAL MEDIA ACCOUNTS (REAL GUIDE)
What better way to get revenge than to your ? That's where I, 0xTastyyboi, come in. I'm going to show you all that you need to know to EX'S SOCIAL MEDIA ACCOUNTS your . EX'S SOCIAL MEDIA ACCOUNTS ... Kali doesn't have notepad.exe ? What the hell is...
Red Team Infrastructure Done Right
You may be familiar with Tim MalcomVetter's blog post on Safe Red Team Infrastructure , where he lays out the high level overview of how to make a safe red team operational network. That post changed my life, but it did lack the technical details on how to do this process in a practical sense.
We Put A C2 In Your Notetaking App: OffensiveNotion
Notion is a popular notetaking application. It has lots of great features that make notetaking a snap. Some of the features we love the most include the capability to share notebooks across teams, push notes to cloud storage, build custom templates, and, in general, deck out your pages so they feel like they have lots of personality!
DLL Hijacking & DLL Proxying An SNES Emulator
Time: 30 mins Difficulty: Beginner Skills: Custom Exploit Development, DLL Hijacking 30 minute exploit dev post. Let's get it. I fell down another security research rabbit hole and when I snapped out of it, I found myself.... ...playing Chrono Trigger? Wait, what? That program in the picture is an SNES Emulator and, if you're like...