canary tokens security alert Cybersecurity

How to Know if Someone Access your Files with Canary Tokens

12/11/19 6 min. read

Cyber attacks don’t just affect large companies. It’s true that they are more high-profile, but how would you feel if somebody broke into your PC and stole your personal data? They could steal your identity and pretend they are you in order to access your bank account. They could also take your photos and create a fake social media profile.

? Talking about social media, there is a post you should read: 5 Tips to Keep your Social Media Safe

In this post I’m going to show you how to create a very simple security measure without having to be an expert in cyber security. We’re going to set up our own Canary Token, which can be used to know when somebody is searching among our files, sends an email or clicks a link.

Get me to the point:

Create your own security measure: Canary Tokens
Create your own security measure: Canary Tokens

You may have heard of honeypots before. Honeypots are devices used as bait for cyber attacks in order to gain information on both the attack and the attacker. Canary tokens work in a similar way and can also give us valuable information on potential cyber threats.

What does Canary Token mean?

There’s a reason behind the name, although it has nothing to do with computers or cyber security, but rather the mining industry.

As we all know, miners face significant risks while working, particularly in the case of underground mines. One such risk is the presence of lethal gases such as methane or carbon monoxide. This is due to the fact that at certain levels the presence of these gases in the air can cause loss of consciousness or even death.

Technology advances mean that there are now improved security measures such as gas detectors and ventilation systems that did not previously exist. Back then, however, miners came up with their own way of detecting the presence of these gases before they reached deadly levels for the miners themselves; and here’s where the canary comes in.

A miner holds a cage with a canary inside to go into the mine
A miner holds a cage with a canary inside to go into the mine

Canaries have a much greater sensitivity to methane and carbon monoxide gas than humans. Certain levels of these gases, although harmless for humans, can cause canaries to lose consciousness. That’s why miners would take a canary with them into the mine as a sentinel to alert regarding the possible presence of these gases in the air.

How to set up your own Canary Token

The role of Canary Tokens in the field of cyber security is basically the same: we use our digital ‘canary’ to alert us of any suspicious activity. All you have to do is set it up and place it in a strategic location.

We’re going to see some examples now using the, which allows us to create our own Canary Token in a matter of a few clicks.

To start, go into the web on your browser 🙂


Example 1: generating a Canary Token in a PDF document

One very useful way is to create a new PDF document which we then use as bait. In this example, I’m going to show you how to create this type of Canary Token so that it sends an alert to your email if anyone opens it.

Firstly, choose the option of a PDF document:

Select your token for generate a new canary token
Setting up our first Canary Token

Enter the email where you wish to receive the alert and a reminder note for when the token is triggered. In my case it looks as follows:

fill the details to create a canary token
Fill up the details

Once you have created this new PDF document, change the name and move it to the folder you want to monitor.

guarda el canarytoken en una carpeta
One of those is our Canarytoken

One of the files in this directory is the PDF that I just created, but at first glance it blends in with all the others (I won’t say which one it is, although it’s not difficult to guess!).

Now if anyone accesses this folder and opens the PDF it will be an empty file, but we will receive an email with the following message:

“A DNS Canarytoken has been triggered by the Source IP XXXXX. Please note that the source IP refers to a DNS server, rather than the host that triggered the token” plus some technical details.

Message from
canarytoken triggered alert
Alert received in the moment someone opens our PDF file

Example 2: generating a Canary Token as a URL

This way of creating a canary token is equally simple. In this case, I’m going to explain how to set up a URL so that it alerts you when somebody clicks the link.

web bug url canary token
Setting up our Canarytoken as a URL
web token is active url details
Our URL is ready to copy and link it somewhere else

We could send an email with this link and we would receive an alert when somebody clicks it:

phishing email with our url canary token
I linked the URL in the buttom so when somebody opens it…

If the user clicks the “Open” button, we would receive an email just like in the example of the PDF document.

Little things make a big difference

Sometimes in the cyber security world it’s the little things that make a big difference:

  • clicking (or not clicking) a simple link
  • having a certain port open
  • setting up an account with admin/admin

And while our little ‘canary’ doesn’t fully protect us against cyber attacks, it could give us a valuable warning just as they once did in the mines.

It’s also true that for every law there’s a loophole, but we’ll leave that for another post 😉

Daniel López

Santander Global Tech

Telecommunications Engineer degree by the Sevilla University. Cybersecurity and Technology to make our life better.


Other posts