Odd Traffic hits on CanaryToken using HTTP CanaryDrop
Hey everyone.
I'm quite puzzled with the recent events that have happened with my Google Apps for work account and strange CanaryToken notifications.
I use a service called CanaryTokens from canarytokens.org which allows you to generate a random string URL on a variety of channels, ie HTTP, DNS, SQL Queries, etc. Ex, you can generate a random URL (and insert this URL as an image inside of a string of HTML code for use in an Email Signature) and if the signature is loaded, the token is triggered and sends an email notification.
Here's the scoop.
I've set up a CanaryDrop on my Google apps for Work email signature so every time I compose an email, or send an email with my Google Apps for Work Gmail Web Interface (including whichever service uses the web interface for composing emails, on any platform, ie a PC, iOS device via browser, etc), I'll get an email notification that looks similar to this:
Now, here's the strange thing. So far I've had 2 very strange token alerts coming from an IP address in the Phillipines with a user agent stating they were using a Windows 7 system (which I do not use), and also a more recent one (exactly like the one posted above) from an IP located in Barrie, Ontario (originating from the Rogers ISP).
I currently use TekSavvy which is a Canadian ISP that uses Rogers networks, however I do not see how it would be even possible to receive a token alert from an IP that's originating from a Rogers Network considering i never sent/received an email from the Web Interface to/from that IP address (or any for that matter) even during the time of the event.
My question is, what would this IP address be doing? I thought Google Apps for Work is sending email using a secure SMTP protocol. Is it possible that the mail is being intercepted or looked at? Once again, I did not send any email during the triggered time. Could this be a Rogers DNS server triggering it? How can one explain the Phillipines IP address being of a client that as triggered my email signature through Google Apps for Work? I do know that user agents can be spoofed, but that's besides the point, the IP is the important piece of information here. I can't seem to wrap my head around it.
I contacted Google Apps for work technical support, and they insist that there is no suspicious activity on my account. I'm starting to believe that nothing is secure anymore, and that regardless of which ISP you're using, what security implementations you're using, the NSA and government agencies are spying on us all.
Any ideas as to what it could be? Would love to hear your input.
Regards,
Chris
I'm quite puzzled with the recent events that have happened with my Google Apps for work account and strange CanaryToken notifications.
I use a service called CanaryTokens from canarytokens.org which allows you to generate a random string URL on a variety of channels, ie HTTP, DNS, SQL Queries, etc. Ex, you can generate a random URL (and insert this URL as an image inside of a string of HTML code for use in an Email Signature) and if the signature is loaded, the token is triggered and sends an email notification.
Here's the scoop.
I've set up a CanaryDrop on my Google apps for Work email signature so every time I compose an email, or send an email with my Google Apps for Work Gmail Web Interface (including whichever service uses the web interface for composing emails, on any platform, ie a PC, iOS device via browser, etc), I'll get an email notification that looks similar to this:
One of your canarydrops was triggered.
Channel: HTTP
Time : 2015-09-30 18:36:57.987925
Memo : this is an email signature test for Google Apps for Work Webmail interface.
Source IP : 99.239.104.75
User-agent: Mozilla/5.0 (iPad; CPU OS 9_0 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13A344
Channel: HTTP
Time : 2015-09-30 18:36:57.987925
Memo : this is an email signature test for Google Apps for Work Webmail interface.
Source IP : 99.239.104.75
User-agent: Mozilla/5.0 (iPad; CPU OS 9_0 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13A344
Now, here's the strange thing. So far I've had 2 very strange token alerts coming from an IP address in the Phillipines with a user agent stating they were using a Windows 7 system (which I do not use), and also a more recent one (exactly like the one posted above) from an IP located in Barrie, Ontario (originating from the Rogers ISP).
I currently use TekSavvy which is a Canadian ISP that uses Rogers networks, however I do not see how it would be even possible to receive a token alert from an IP that's originating from a Rogers Network considering i never sent/received an email from the Web Interface to/from that IP address (or any for that matter) even during the time of the event.
My question is, what would this IP address be doing? I thought Google Apps for Work is sending email using a secure SMTP protocol. Is it possible that the mail is being intercepted or looked at? Once again, I did not send any email during the triggered time. Could this be a Rogers DNS server triggering it? How can one explain the Phillipines IP address being of a client that as triggered my email signature through Google Apps for Work? I do know that user agents can be spoofed, but that's besides the point, the IP is the important piece of information here. I can't seem to wrap my head around it.
I contacted Google Apps for work technical support, and they insist that there is no suspicious activity on my account. I'm starting to believe that nothing is secure anymore, and that regardless of which ISP you're using, what security implementations you're using, the NSA and government agencies are spying on us all.
Any ideas as to what it could be? Would love to hear your input.
Regards,
Chris
David Johnson, CD
this has nothing to do with google apps. It only has to do with your signature.. so if a recipient opens the email you will get a canary notification
ASKER
HI David, thanks for the response.
I fully understand the concept and when the trigger is supposed to happen after sending or receiving an email with the token inside the signature. Although, I mentioned that I did not access my webmail or send an email during the time I got the notification, and definitely did not send an email across the pond.
At one point (for testing purposes) I intentionally did not use the webmail interface (with my tokenized signature) and it was still triggered to a weird IP address.
The info that is scary is the USER AGENT info. Although it can be spoofed, why would someone with a Win7 PC from the Philippines receive my email signature if I never sent an email there? I mean, the only possible option would be that the user was using a VPN service and connected their mail client using that IP address. It just doesn't make sense.
I fully understand the concept and when the trigger is supposed to happen after sending or receiving an email with the token inside the signature. Although, I mentioned that I did not access my webmail or send an email during the time I got the notification, and definitely did not send an email across the pond.
At one point (for testing purposes) I intentionally did not use the webmail interface (with my tokenized signature) and it was still triggered to a weird IP address.
The info that is scary is the USER AGENT info. Although it can be spoofed, why would someone with a Win7 PC from the Philippines receive my email signature if I never sent an email there? I mean, the only possible option would be that the user was using a VPN service and connected their mail client using that IP address. It just doesn't make sense.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.