Showing posts from June, 2019

When document.domain is not equal to document.domain

Background One of our most popular Canarytokens is one we call the "Cloned-Site Token". Essentially, we give you a tiny piece of JavaScript to add to your public webpage. If this JS is ever loaded on a server that doesn't belong to you, it fires an alert. You can be alerted at an email address or webhook in the free version , or to your SIEM, slack channel or a bunch of other alternatives in the paid version . The Cloned-Site Token is super useful at catching Phishers who duplicate your website as a pre-cursor to an actual phishing attack. A notification that the website from was now running on The Issue Recently, a financial services customer was periodically getting alerts where the Cloned-Site domain matched their actual domain. This was unexpected, as the token explicitly should only trigger if the domains are different.  In other words, the token for should only fire if the page is lo