The malicious attack known as doxing has gone far beyond hacker tools, with the threat now extending to most social media platforms and making nearly anyone a target.
Today, doxing continues to be an intimidating prospect for digital users and is a mainstream data security problem. Online users can have a great deal of anonymity, but the growth of digital platforms makes obtaining information more accessible than ever. With any public-facing or dormant digital presence, threat actors can weaponize personal information to humiliate the victim, extort them, or conduct further malware attacks.
This article looks at doxing, how it works, types, best defensive practices, and what to know about the mainstream digital attack.
What is Doxing?
Doxing – abbreviated from “dropping documents” – is a form of Open Source Intelligence (OSINT) where an actor publicly shares online information or data about a specific individual or group of individuals. Doxing often reveals identifying information about an adversary and is almost always a malicious attack to hurt the victim.
A Brief History Of Doxing
Doxing is a term that first originated alongside the boom of the internet and black hat culture. Within the hacking community, doxing is an intimidation tactic to unmask the otherwise anonymous details of another user. With user interactions expanding to entire communities and remote connections, doxing is easier than ever and present across today’s social media platforms.
What Documents Are Getting Dropped?
- Personal Details: home address, phone number, workplace, criminal history
- Financial Information: social security number, banking, credit report, digital wallet
- Other Personal: private communications, personal data, embarrassing details
How Does Doxing Work?
The list of tactics, techniques, and procedures (TTP) used by threat actors to gain another user’s data is extensive. Common searches include scanning public records, phone records, social media, and WHOIS domain information. Meanwhile, more advanced threat actors will utilize IP addresses, packet sniffing, and dark web data brokers to obtain personal details. Another widely used tactic for information gathering is phishing or the engagement and manipulation of another user’s trust.
Upon obtaining the documents in question, threat actors can dispose of the information as they please. Hackers can publish their findings under an anonymous account on a popular social media platform or another public-facing channel. In either circumstance, the hacker makes the personal details more accessible to other users by collecting and sharing the information.
Types of Doxing Attacks
|Deanonymizing||Revealing personal identifiable information of an anonymous individual|
|Targeting||Private or obfuscated personal information revealing circumstances|
|Delegitimizing||The disclosure of intimate details to damage an individual’s credibility|
More niche examples of doxing include:
- Breach Doxing: the unintentional dropping of documents via a data breach or leak.
- Revenge Doxing: targeting individuals as a form of revenge.
- Swatting: targeting individuals via emergency tip to public authorities.
- Criminal Doxing: targeting individuals with harmful intent.
- Faulty Doxing: targeting of an unintended individual.
- Corporate Doxing: targeting a specific business and personnel.
- Celebrity Doxing: targeting a celebrity’s personal information.
- Intellectual Property Doxing: targeting a company’s proprietary data.
Defending Against Doxing
Keeping a low profile online can be difficult in an era where a brand is everything. Personal details about users – whether inadvertently available on social media or through a data breach on a long inactive account – are everywhere, giving persistent threat actors plenty to utilize.
- Practice cybersecurity hygiene, including strong passwords and MFA
- Scrub data from data broker sites or obsolete profiles and accounts
- Differentiate usernames and passwords between accounts
- Separate email accounts for distinct purposes
- Evaluate privacy settings and public info for social accounts
- Hide domain registration and protect IP with VPN
- Tread lightly with app permissions and minimize disclosure of personal information
- Avoid malicious interactions and stay vigilant with trust online
Proposal for Action: Dox Yourself
Don’t believe you have anything to hide? Industry analysts offer a simple challenge: check how easy it is to dox yourself. Data owners can evaluate their current risk posture regarding a doxing attack and take steps for remediation.
Evaluate Doxing Risks
From Google to Twitter and LinkedIn, searching for a first and last name can reveal a lot about an individual or company.
The pedestrian user may not know or care about their privacy settings. Still, threat actors are well aware of publicly visible information on social media, personal websites, and other digital platforms. Individuals and organizations with a longstanding digital presence have even more content for threat actors to parse through in search of a humiliating tweet or picture.
In addition to popular websites, users must also consider data breaches and existing digital accounts. Disasters and attacks for web service providers can result in emails, passwords, and more being published and exposing account user information.
Users can check if their email or phone was compromised in a data breach on Have I Been Pwned? Hopefully, no pwnage is found!
Remediate And Continually Audit
Though personal details like a mobile phone number, email accounts, or home address on an online CV may seem harmless, this information is vulnerable to misuse. Creating phone and email accounts specific to public-facing purposes is a popular preventative measure.
Across digital platforms and accounts, users should ensure all settings meet their privacy and cybersecurity expectations. In evaluating doxing risks, users with compromised credentials must act with haste to change any other accounts carrying the same username and password. In the same vein, users should consider deleting dormant accounts to avoid additional exposure.
If the user isn’t going off the grid entirely, preventing doxing or other attacks against one’s privacy means proactive monitoring. Users should conduct regular audits of publicly available data about themselves. Keeping up with current events is also an invaluable part of securing data as a user can act quickly to remediate the potential exposure.
The Unintended Victims of Doxing
Never mind the real threat doxing can bring to the intended individuals – a disturbing number of instances show the original documents published to be inaccurate and the recipient of post-doxing reactions misidentified. These examples often lead to digital or in-person harassment and reputational damage of individuals unbeknownst to any identifiable reason for the attack.
Notable Doxing Attacks
|August 2017||After the “Unite the Right” rally in Charlottesville, Virginia, online users misidentified an attending protester as University of Arkansas assistant professor Kyle Quinn. Quinn was met with a barrage of harassment before online users learned it was not the same individual.|
|August 2014||Known as “Gamergate,” several notable women in the video game industry were targeted in an online harassment campaign and doxing. Noted as a backlash to increasing feminism in gaming, victims received extensive attacks at the time and for years after.|
|August 2014||Known as “The Fappening,” a threat actor published 500 private pictures of celebrities to 4chan before their broader circulation. Apple stated the threat actor executed spear-phishing attacks to access the vendor’s cloud services suite, iCloud. In 2018, George Garofano pleaded guilty to the attack.|
|March 2013||Multiple celebrities and political figures, including Kim Kardashian, Ashton Kutcher, Jay-Z, Joe Biden, and Hillary Clinton, were the victims of doxing their financial details. In 2015, Mir Islam pleaded guilty to the attack. The US DOJ detailed the string of attacks in 2013 against dozens of victims.|
Is Doxing Illegal?
Doxing can ruin lives, as it can expose targeted individuals and their families to both online and real-world harassment. But is it illegal?
The answer is usually no: doxing tends not to be illegal, if the information exposed lies within the public domain, and it was obtained using legal methods. That said, depending on your jurisdiction, doxing may fall foul of laws designed to fight stalking, harassment, and threats.
It also depends on the specific information revealed. For example, disclosing someone’s real name is not as serious as revealing their home address or telephone number. However, in the US, doxing a government employee falls under federal conspiracy laws and is seen as a federal offense. Because doxing is a relatively recent phenomenon, the laws around it are constantly evolving and are not always clear cut.
Regardless of the law, doxing violates many websites’ terms of service and, therefore, may result in a ban. This is because doxing is usually seen as unethical and is mostly carried out with malicious intent to intimidate, blackmail, and control others. Exposing them to potential harassment, identity theft, humiliation, loss of jobs, and rejection from family and friends.
Doxing Protection and What to do if I’ve been doxed?
Read more on protection here
What to do if i’ve been doxed, including How to Respond
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- UK bans Chinese CCTV cameras at ‘sensitive’ government locations - 26 November 2022
- Chrome Update: Exploited Zero-Day Vulnerability fixed by Google, the 8th this year - 25 November 2022
- RESEARCH: analytics information related to iPhones include a Directory Services Identifier (DSID) that may be used to identify users - 24 November 2022