Overview:
Step 1: Sign in to your Console
Step 2: Select the Canarytokens tile
Step 3: Select the Cloned Website token
Step 4: Specify the protected domain
Step 5: Copy the JavaScript into your website
The Cloned Website token is placed within the JavaScript of your website and notifies you if someone clones your site and hosts it on another domain. (This is often used for targeted Phishing attacks.)
Note: If your site is actually used for phishing attacks, you will be notified for every user who loads the “malicious page" - This is great news, since it will often help with targeted Incident Response.
Follow the steps below to create a Cloned Website Canarytoken:
Step 1: Sign in to your Console
You can log in to your Console.
Step 2: Select the Canarytokens tile
From the Console home screen, click the Canarytokens tile to go to the Canarytokens list and creation modal.
Step 3: Select the Cloned Website token
From the available token types, select Cloned Website to open the token creation form.
Step 4: Specify the protected domain
In the Cloned Web field, enter the legitimate domain that will host the token (for example, inyoni-corp.com
). The token will only consider that domain “legitimate”; loads from any other domain will trigger alerts.
Step 5: Copy the JavaScript into your website
Copy the JavaScript snippet provided by the Console and place it in a JS file on your target server, or embed it in the page HTML (preferably included site-wide in a common footer/header).
Note: You can encode the file to obfuscate it by toggling on the Obfuscate Script switch.
Alert
An alert is only triggered if the page is ever loaded on a server that doesn't match the specified domain.
Note: the original domain "inyoni-corp.com" was loaded on "inyonii-corp.com"
You're done!