InShort: Offensive Cybercrime Investigation || Trace a criminal through a Link/URL. (Canary Tokens)
How can you get IP address of anyone by sending a Link?
Cyber Investigation and Forensics rely on analysis of evidences/logs/proofs/trails on as-is basis, following the modus operandi. For example in case of a Phishing Call, Customer Aquisition Forms (CAFs), IPDR, CDR etc are asked from Telecom Operators.
Why Offensive?
Lack of support from Intermediary, Absence of Logs, Significant delay in data requisition, Cold blooded criminals are some of the reason why offensive approach is required.
Canary Tokens:
In simple terms, a Link, Word file or PDF file which when opened, will send the location of the person who clicked is called Canary Token.
- Create a Canary Token:
Many websites provide canary tokens. You need two things before creating:
- An Email address to get notification alert when some-one clicks
- Type of Canary token (URL, PDF, Word etc)
Easy to use is : https://canarytokens.org/generate
2. Delivery: Send the link to your target. When he/she clicks, you get the IP details. Token can be sent via Email, WhatsApp, SMS, USB etc.
3. Sample Output. (Email. Click on “More” on bottom of email to get MAP
Details Seen: Time, IP Address, User Agent Etc.
Using IP details, IP DR can be obtained from Telecom Service Providers to get detail on who was assigned the IP.
Behavior of criminal like which system he/she is using (Mobile : Android 11) or Laptop etc.
Clicking on More info on this token takes you to maps page which shows the location of IP.
Further IP details can be obtained from ipinfo.io or URLscan.io
URL shortners could be used to hide the name of ‘canary’ in link and generate short links.
Microsoft Word File, Adobe PDF Files, Email addresses are other forms of Canary Tokens that can be used to send to target and get system/IP details.
Closing Thoughts
Battleground has its own laws. But if opponent crosses line and disobeys the rules of war, rules need to be bent.
