We have answers from the amazing team about triggering tokens: Q: Why is the ISP triggering the tokens? A: CanaryTokens generate a unique HTTP URL or DNS hostname which once browsed to or resolved, makes a connection back to our servers and raises an alert. The Windows Folder Token makes use of DNS to trigger an alert, and inspecting the downloaded files reveals that we set the folders icon to a remote resource and encode some local system information into the hostname. Due to the hostnames being unique, Windows will recursively query a Tokens hostname up the DNS resolution chain which usually follows the path of localhost -> local DNS server (router) -> ISP DNS servers -> Root Servers -> Canary Tokens server. We tend to see multiple alerts happening after a Token is first triggered as ISP name servers cache the query and later refresh that cache for any DNS updates, this causes the Token to trigger multiple times. The “recent places or quick access” features of Windows can keep the Tokened folder in explorer's sidebar which attempts to preview the document causes further unnecessary alerts. Our advice: once a Token has initially triggered, you'll have gotten the all-important alert to further investigate; once complete, it's worth swapping out the Token for a new one to avoid later false positives. Q: Does this work on cell phones too? A: Yes. It's worth noting however that Tokens are designed to be tripped by their intended applications.The Word Token will require a desktop version of Microsoft Word to trigger Q: What about Anti-Virus? A: AV products do sometimes detect and even trigger Tokens in their scans, it's worth hiding Tokens a little deeper in your files. Certain AV programs also offer "sandboxing" services whereby files are uploaded to their servers for safe "detonation" which can end up triggering Tokens multiple times.

@monophoto1

Жыл бұрын

Is it possible to translate this into English for those of use who aren't computer geeks.

@dannystiasny3891

Жыл бұрын

@@monophoto1 I persoanlly would appreciate a quick video on what you just said Liron , I have a comprehension issue when reading , , Allways understand your Awesome vids , easy to understand and implement into action what you explain , Thanks

@edgamilcar92

Жыл бұрын

@@monophoto1 the dns is the domain, basically it is the acces to the online information, it assings to you an ip, that is like an unique id for your device... the cache memory is like some kind of archive that stores data to be easy to access, the cache triggers the token multiple times so you are supposed to give importance to the very first one... sorry for my english, i dont know if i am being clearly enough..

@superdrykidrobot

Жыл бұрын

Homeland, FBI, Google and Windows analytics, Facebook and Amazon trackers, game launchers, Discord, the list goes on and on. Most software these days acts like spyware, but they get on the whitelist and get you to approve permissions.

@manicminer4573

11 ай бұрын

@@monophoto1 It sounds like there will be so many false triggers as to make the technique practically useless.

hmmm I am seeing several people saying that their own ISP is triggering their tokens. I am looking into why this is happening. I also reached out to Canary Token people to see if they can shed some light. So DONT PANIC - your ISP is most likely not hacking your computer. My guess it is some type of "checks" that is happening at the ISP level. Will keep you updated as I learn more. This is getting interesting 🤔

@Boda.Attila

Жыл бұрын

Same problem here, in 15 minutes got 62 alerts. Not very helpful, unfortunately.

@sma7530

Жыл бұрын

Keep us posted, please!

@hankfox4170

Жыл бұрын

From the ip addresses and locations through Comcast, it's almost as if Comcast is treating something in the code as a new DNS address and it's passing it around just like DNS propagation. It may settle down after the initial spread, then all you need is to ignore the initial burst, although it would be nice to be able to remove the "hits" from the main list.

YOU ARE Epic!!! So much valuable info, I'll be watching again! Thank You!

@LironSegev

Жыл бұрын

appreciate you being here!

You are a living legend Liron.

Liron, you're great. I'm so glad I subscribed so that your video appeared at the top of my KZread viewing list.

@LironSegev

Жыл бұрын

appreciate you Brendan!

Liron you're the Best 🙌 Much love 🙏 - Stay Blessed - 🙏❤✌

@LironSegev

Жыл бұрын

🔥

Thank you so much. I love ur channel and subbed a few weeks ago. Love all ur content and use a lot of it. Thank you for increasing my security

Great info as always.

@LironSegev

Жыл бұрын

Glad it was helpful!

You are a star. Thank you . I'm subscribed.

@LironSegev

Жыл бұрын

Welcome!

Lots of valuable information brother ,thanks

@LironSegev

Жыл бұрын

Glad it was helpful!

For me still lost, but good that you can help people. Thank you.

@LironSegev

Жыл бұрын

No worries!

Great and useful content as always :)

I would love to see you describe home network security and how to monitor connections and do some tls dissection

Tech experts gets hacked moment

@mkks4559

Жыл бұрын

At least when they get hacked, they explain clearly how to protect ourselves from getting hacked like them.

@LironSegev

Жыл бұрын

there are only two kind of people: those who have been hacked, and those who don't know they have been hacked....

@Dnizzle25

Жыл бұрын

@@LironSegev give them time to let what you said marinate they'll get it tomorrow!

Thanks Liron, good stuff matey !!

@LironSegev

Жыл бұрын

My pleasure - thanks for stopping by!

@rodger3641

Жыл бұрын

@@LironSegev Its bloody funny you know, I got an email from Hoselink the other day, and I do buy stuff from there and I clicked on the email and it took me to their website. Not long after I got another email from them saying we see you visited our website... ding ding ding, and also wondered how Kogan was doing the same damn thing. and come to think of it a few other websites have really upped their emails that I visit. Crafty bastards. I do like to look at the pics to see whats on sale but I don't want to be hit with extra emails... other than turn off the images, is there any other way to look and not get tracked? I use gmail only. Cheers Liron, I'll be sharing this info around. I like Honey Pot lol, good stuff.

@LironSegev

Жыл бұрын

yeah - thats how they get you...If you enable email images it triggers their system. What you can do is use another email address like DuckDuckGo email system which anonymizes your email address. Apple has one too. And I am sure there are others. So you sign up with these emails instead of your main one. Also use a VPN and put yourself in another country which could cut down their tracking. Finally, there are some plugins that scan through Gmail (I havent personally tested these)

wow this is crazy thanks for this man like always you keep giving great information did the email stuff now.

@LironSegev

Жыл бұрын

Thanks for the message and hanging out here 👍

great information. I created a similar folder and opened it and then checked to see that it has been opened 3 times, once by me and 2 times from two different asian conuntries

Thanks for another useful video and yes I am a subscriber

@LironSegev

Жыл бұрын

Awesome, thank you!

Great info -- AGAIN! Thanks

@LironSegev

Жыл бұрын

Thanks again!

I have created the folder and shortcut and put them on my desktop, it will be interesting to see what hits i get. Thanks for creating the very interesting and useful videos.

@LironSegev

Жыл бұрын

Hopefully you get nothing which means no one is in your system 😉 I have many of these and just hope I never see an alert. Ever.

Bravo, brother!

So cool. I didn't even know "honey pots" were a thing. Now I have one on my desktop.

@LironSegev

Жыл бұрын

ahhh love that!

This is interesting. Will try this out. 👍🏻

Good Info thanx 😃👍

@LironSegev

Жыл бұрын

No problem 👍

Thx for the info, but what do I do to stop them from acessing my computer? Do I have to format my pc and install everything again? Keep with your great work, 👍👍

@LironSegev

Жыл бұрын

get a good anti virus that has the ability to scan your computer even if it already infected. Some allow you to create a special boot disk so you can run the scans without actually opening Windows. That is a good place to start.

Thumbs up and subscribed!

OK, now what do you DO with that information? Can you go after the hackers some way?

@NeptuneSega

2 ай бұрын

Secure your device obviously

Amazing bro!!!!!😮😮😮👍🏽✊🏽✊🏽🎧🎵👏🏾👏🏾👏🏾

@LironSegev

Жыл бұрын

appreciate you being here!

Epic... thanks so much

Hello can I use canary tokens on MacBook Pro or iPhone 13? I see a lot of the tokens are related to windows

Update: I made the token and I see that my cellphone provider seems to trigger it, now I do not know if cookies do this or a hacker is active, but I did ask them to clarify. Thank you it is nice to see.

Running file backups that include a tokenized folder will also generate email alerts.

@LironSegev

Жыл бұрын

Good call. Anytime anything touches the files it is triggered. So anti virus scan, backups, cloud syncs, renaming the file etc.

@buddyboy4x44

Жыл бұрын

@@LironSegev That scares me off. I wanted to place the file and forget it, but your reply here says I will get never ending email alerts from scans, backups, etc. Correct?

How long did it take from the time you set up the honeypot until you got results?

I'm your new subscriber, and I love you 😍😍😍😍

@LironSegev

Жыл бұрын

Appreciate you

Thanks for your expertise. Any advice for Android phones?

@LironSegev

Жыл бұрын

yes

Liron you're a Boss

Thanks!

@LironSegev

Жыл бұрын

Appreciate you being here 🔥

Hi Liron if im getting these tokens what do I do? I have virus protect and everything is up to date what am I missing thank you so much for your time

Thanx

What can I do if I catch someone?

@Inglan

6 ай бұрын

You dont

Thanks for the great info... I will definitely use this !!! Thank You for taking the time to educate people like me. I really like your channel . Please keep up the great work !!!

@LironSegev

Жыл бұрын

You are so welcome!

There is a file called "desktop" which is a configuration ini file, which i believe i can see because i have windows to show all hidden files, inside the My Documents folder downloaded.

Nice! What should I do with the info about the hackers?

@LironSegev

Жыл бұрын

report it to your local authorities

Liron, I have tried putting the windows folder thingey on two different computers, and I am not getting any emails or trigger alerts on the Canary page under ''manage this token''. Your instructions are very clear and I followed them directly but still nothing. Any ideas what Im doing wrong?

@jessederinger

3 ай бұрын

did you ever find a resolution? im experiencing the same thing

Same I got hacked yesterday

A little confused, Google's options are always see images or always ask, there's no don't automatically download images. It does say in the link you provided, that Google automatically scans email for potential threats. So what's the score? 🤔

Nice video Liron , PLEASE I've question to ask .... You said that if I open an email I received if the image load without clicking the image itself it'll notify them that I've read the email... So I taught it's only when I clicked on the image ?

@LironSegev

Жыл бұрын

nope - as soon as the image downloads, it triggers. That's how they know how many people received it, even if you didn't interact with any links.

@chinedumichael8776

Жыл бұрын

@@LironSegev Thanks for you reply. But please how do you mean download? Do you mean download straight to my phone or just the image load up or my email application (GMAIL) ?

Thats awesome. BUT! How we de stop them from taking info are watching and viewing our PC?

@LironSegev

Жыл бұрын

there really isnt any confidential info - its a trap. Make sure you have a good anti-virus and use a VPN, dont download cracked software and you should be fine.

Hi - At the 1:50 mark, are you copying the downloaded folder to the desktop or are you moving it? Thanks!

@EFudd-lu6ji

8 ай бұрын

I believe you can do either. The embedded code follows the file / folder.

Really like those over the top, exaggerated thumbnails 👌

@LironSegev

Жыл бұрын

what a coincidence - me too!

What if your on a apple ipad which one Would you click on

What do I do if someone trigger it? How to I revoke the access they have to my PC??

Would this work if I dropped these folders on a Synology server?

Can you explain more about "just by it being in your email and hovering over the link" comment you made? Does this mean even if I don't click the link just hover over it and look at the URL description it is triggering a token to the sender...??? Really appreciate this info!

Liron , will System Mechanic® Ultimate Defense help me with the people getting into my computer , like canary is showing , ? Thanks

@LironSegev

Жыл бұрын

Yup. I has great detection features

WHEN I HAVE A VIDEO ATTACHED TO MY EMAIL I HAVE TO SAVE IT IN ORDER TO PLAY IT. I USE TO JUST RIGHT CLICK ON THE ATTACHMENT AND CLICK PLAY. WHAT DO I HAVE TO DO IN FIREFOX TO HAVE THIS OPTION AGAIN. THANKS

Amazing video as usual. I tried it and every time i startup my computer ( after i Power down) i get a trigger alert immediately...... every single time I power on my computer. I tried restart as well ( as opposed to power down) and same thing happens , i get an trigger alert as soon a my computer is restarted ( false positives) and sometimes I get many other alerts, all says my VPN ( I have VPN on at all times). I had to remove it.

Appreciate the knowledge! I've subscribed a while back

@LironSegev

Жыл бұрын

Appreciate you being here 🔥

Thanks Leron. Very apt for Aussie right now.

@LironSegev

Жыл бұрын

apt for everyone all the time 😜

Thiojoe made a vid like this and he went over a method that uses logs to detect any access, even if the attacker is not on windows. It would then turn off the network drivers and shut down.

Thanks Liron! Honeypot set up.

@LironSegev

Жыл бұрын

nice!!! Simple right?

@gwaeron8630

Жыл бұрын

@@LironSegev I got an alert when I shut my PC down and when I woke it from sleep. Running MS safety scanner and windows security scans and researching now. I made sure indexing was off. The src_data is always my PC. Hopefully it is just something innocent doing its thing.

Could one create something similar in PowerShell?

Very useful video

@LironSegev

Жыл бұрын

Glad you liked it

I wish there was such on cell phones too.

Hmm...very interesting. Insteading of email, can CanaryTokens trigger a text message?

First here to watch and like, am that am always first person. big ups to you big brother 👏

@LironSegev

Жыл бұрын

you rock!

Is anti-virus worth to keep in computers now in 2024?

I would redirect them to one of the KZread channels that messes with scammers. LOL

Excellent video advice. However, I think I may be getting false positives. I have a new PC. I don't surf in admin, only visit legit known sites, and check links with virus total before visiting a new site or clicking a link I've never used before. I have an up-to-date AV, using Quad9 DNS. I always look forward to being notified of your new uploads.

@LironSegev

Жыл бұрын

isnt it strange just how much happens in the background that we are not even aware of? I wonder if its your anti-virus triggering this as it is testing the links?

@ldmuttley101

Жыл бұрын

@@LironSegev Thanks for all the tips and tricks you've offered over the years. My AV.; That was my first thought, I only mentioned it because I'm getting hits from around the world; Ireland, Germany, USA, India, Russia. I'm thinking of trying it in a new local account to see what happens. Once again thanks for all the tips and tricks you've offered over the years.

Thanks for posting. I have question, why after creating the honeypot, I checked on the history, it shows all 14 clicks where various IP addresses show up, some from local and some from out of state. Does someone constantly watching it ? I have no idea.

@LironSegev

Жыл бұрын

see the pinned comment where Canary Token explains why this is happening.

did as instructed but whenever I access this folder, there are no triggers at all

Thanks Liron. I followed your instructions and immediatly got 8 hits from my ISP?????

@LironSegev

Жыл бұрын

yip - see my pinned comment

Don't close the token download page, First go to that "manage this token", When you get to the log page for that token (it shows the token ID number), Copy the URL for that log page and save it to your computer, else if you close that download page, you will lose access to that token history log.

@EFudd-lu6ji

8 ай бұрын

Great comment!

I get it. Could they open a file/folder that uses encryption? Meaning not using bait, but they come across a real file.

Hi thanks

anyway I tried the the fast redirect and slow redirect and could not get my browsers to go through when ever I would go to test them

Nice idea, but it doesn't seem to be working for me, nor can I see the "Manage Token" screen. Help me!

how did they get in?

I tried the token site you mention and get this site can’t be reached?

MERCI

I, similarly, have an e-mail contact named "Me". Every once in a while I get an e-mail from Me. That way I know if something has gone through my contact list and tried baiting me. It's at least an alert.

@LironSegev

Жыл бұрын

nice!

youve never replied to me but maybe this is my lucky shot. I followed all the directions, but I am not getting any emails and it says my token has not been triggered yet, despite me trying every which way to make it work. Theres quite a few people commenting this but I havent seen it answered. THANK YOU!

The Thunderbird email client for PCs/Laptops refuses to download images by default. They can be enabled each time or permanently for senders the user selects. Some companies don't give you much information, what they want you to see is loaded in the images which are also links. I get lenient, "This was sent from, say, a streaming service I subscribe to, so I'm more willing to allow the images to load. Others, no.

This explains it so much better than what my professor did.

@LironSegev

Жыл бұрын

haha thank you for the compliment and for hanging out here!

@davidgeorge4784

Жыл бұрын

@@LironSegev you’re welcome. Love your content.

How do you remove it if you decide there are too many alerts (false positives)? If I put the file into my Trash folder surely it still exists and there and may continue to trigger.

@EFudd-lu6ji

8 ай бұрын

Delete the file or folder the code is associated with and empty the recycle bin.

Liron I got the folder on my desktop and it gets triggered like 12 to 15 times a day. What should I do?? Reinstall windows?? Please help.

@LironSegev

Жыл бұрын

see the pinned comment where Canary Token explains why this is happening.

Why does this process use so much CPU processing power? It seems to bog down down the PC!

Getting a lot of hits from _Cloudfare WARP_

Curious, this upload started at 2:57 into video

I FOLLOWED THE STEPS BUT when i checked history ,it says It dosent show me a list of events !!

@jessederinger

3 ай бұрын

did you ever resolve this? i am having same experience

@cyrpusangelos

3 ай бұрын

@@jessederinger no , never

Hey, do you script yo videos??

@LironSegev

Жыл бұрын

depends on the video

I u go to recent pages opened?

Nice

Instantly after doing this i got over 50 triggers, all from my ISP....................... Update: I get a trigger alert approx every 30 minutes from my ISP. Update 2: I removed it due constant triggers from ISP.

what if hackers are using VPN ?

I don’t understand how the Windows folder part works. How did CantoryTokens knows the Windows folder was accessed? Windows folder isn’t executable like .exe, it’s just a folder? When you downloaded the folder I didn’t see you run anything else that that would trigger CantoryTokens that the folder was accessed?

@LironSegev

Жыл бұрын

Here's a wild and crazy idea.... Try it for yourself

Love your videos with it's plethora of info. I've used IOLO System Mechanic for many, many years now but I've been disappointed with them lately. Not the product but the way they do business. The big one is they have gone to an automatic auto-renewal system and you can no longer login and make changes to your account. Their site will tell you how to login but where they tell you to look, it's not there. You need to call them to do that. IOLO has made changes as of September 2022.

can't find the mange this Token , after the other steps , Documentation , link that's it , thanks for all your Great info and vids by the way

@LironSegev

Жыл бұрын

trigger it yourself - you will get an email and it will have a link in the email to manage the token.

@dannystiasny3891

Жыл бұрын

@@LironSegev Thanks , I checked my email after writing this and found the link to click in the Alert in my Email , lol

@dannystiasny3891

Жыл бұрын

OMG , in 20 minutes have had 18 , yea a few where me , I think , , The IP address are all different and the Maps show basically 2 locations , none since then 2 hours ago ... WOW Thanks Liron , ot sure what to do now , BUT WOW ,lol

Will you get notified if this file is copied or scanned by a program like Discord? Let’s say copied to remote location.

Why the heck do you have a minidisc player on the shelf? 🤔

@LironSegev

Жыл бұрын

haha good old tech - still works and I have the discs too. That saved me on the daily London underground travels....