Cloned Website/CSS Canarytokens are ideal candidates for login pages. Use these Canarytokens to detect website cloning when an attacker's serving up a fake instance of your identity provider (e.g. Okta).
Step 1:
Log into your Okta admin panel.
1 - Select Brands from the left panel under Customizations.
2 - Select + Create brand.
Note : This is an Okta customisation feature which we'll use to embed our Canarytoken.
Step 2:
Add a custom domain to your Brand.
In order to use the code editor (which we'll use to embed our CSS) for your Okta Sign-in page, a custom domain needs to be configured. Follow the "Add domain" wizard and specify your domain.
Note: We're using "login.inyoni-corp.com" in our example. Your domain should follow the same format of your-subdomain.your-real-domain.com. DNS changes are required as part of this process, meaning that you will not be able to use a subdomain on okta's primary domain (e.g. your-subdomain.okta.com).
You can verify that your custom domain is configured correctly, by looking for the "Active" Status on your domain.
Step 3:
Log in to your Console.
Step 4:
Select the Canarytokens tile.
Step 5:
Select the "Cloned CSS" token from the list.
Step 6:
1 - Enter the website domain under Cloned Site. This is the domain of the website you'd like to protect.
2 - Click Create token.
Note: we used "login.inyoni-corp.com" as the domain.
Step 7:
Copy the content of the token.
Step 8:
1 - Open the Code editor
2 - Click Edit on the right side.
3 - Paste the Canarytoken value inside a hidden "div" element as seen below.
Alert:
An alert is triggered when the cloned website is loaded.