Canary Trap: The Biggest Risk for Online Identities
The most effective way to expose online identities and aliases is a technique called the Canary Trap or the Barium Meal Test. This technique is unique and somewhat consternating. None of the standard managed attribution practices are effective in thwarting it because it attacks the human operator, rendering most tools ineffective.
Listen to the Ntrepid Cast podcast on this topic.
The name “canary trap” most likely came from the way birds will repeat what they have heard. The Barium Meal Test is an older and more descriptive name for this technique. In the medical community, a barium meal allows a doctor to track food through the digestive system. In the intelligence world, the test allows tracking of information.
In the past, this tactic was used to find the source of leaks in an organization. A business or government organization distributes, to a select group of people, a document that is likely to be leaked. Each person receives a slightly different version. If the document is leaked, it is easy to identify the source by examining which version was discovered.
This technique is highly applicable to online situations where they can be used to expose cover identities, discover operational infrastructure, and identify alias accounts. For online efforts, I think about three different variants of the test: the dangle, the bait, and the block.
With the dangle, an attacker allows some information to be discovered about a previously unknown person. For example, this can be done by putting it on a thumb drive that will be seized in customs or in a raid. The “person” was most likely created by the attacker who is looking for anyone that reaches out to make contact. That contact will almost certainly be from an alias identity using covert infrastructure, both of which have now been exposed.
The bait allows the attacker to identify a rat in an online group or forum. After the attacker provides the rat with information about some serious criminal activity, they look for overt law enforcement investigation of the activity. Sometimes this is just by a uniformed agent showing up at a mentioned location, or it could be law enforcement visits to a given website. This reveals the rat’s identity to the attacker.
Then, the Canary Trap attacker creates the block. They can do this by creating a website purporting to have some incendiary content, like beheading videos or a criminal chat room, and broadcasting its existence in public spaces. The website is configured to automatically block all known government related IP addresses. Many government investigators or analysts will then turn to a misattributed IP address to access the site. When the attacker sees a blocked access attempt quickly followed by a successful one, they can make a safe assumption that the new address is associated with the previous blocked government activity.
Once the attack is successful, the attacker can immediately take action. They could simply block, or ban the detected identity, or feed it misinformation. The attack works no matter how good the tradecraft and backstopping of that alias might be. The only sure defense is to never allow streams of information to become crossed. The operator needs to decide if acting on some information is worth burning their alias.
The Canary Trap / Barium Meal Test is an advanced kind of attack. Not every group will be aware of it or have the sophistication to pull it off. It often requires significant forethought, preparation, and effort to be effective. These attacks are only used to protect the most important kinds of information, and they have the ability to rip away online covers, expose identities, and reveal covert infrastructure.