Posts

Showing posts from June, 2019

When document.domain is not equal to document.domain

Image
Background One of our most popular Canarytokens is one we call the "Cloned-Site Token". Essentially, we give you a tiny piece of JavaScript to add to your public webpage. If this JS is ever loaded on a server that doesn't belong to you, it fires an alert. You can be alerted at an email address or webhook in the free version , or to your SIEM, slack channel or a bunch of other alternatives in the paid version . The Cloned-Site Token is super useful at catching Phishers who duplicate your website as a pre-cursor to an actual phishing attack. A notification that the website from http://thinkst.com was now running on http://fake-thinkst.com The Issue Recently, a financial services customer was periodically getting alerts where the Cloned-Site domain matched their actual domain. This was unexpected, as the token explicitly should only trigger if the domains are different.  In other words, the token for http://domain.com should only fire if the page is lo