learn cybersecurity
The malicious attack known as doxing has gone far beyond hacker tools, with the threat now extending to most social media platforms and making nearly anyone a target.
Today, doxing continues to be an intimidating prospect for digital users and is a mainstream data security problem. Online users can have a great deal of anonymity, but the growth of digital platforms makes obtaining information more accessible than ever. With any public-facing or dormant digital presence, threat actors can weaponize personal information to humiliate the victim, extort them, or conduct further malware attacks.
This article looks at doxing, how it works, types, best defensive practices, and what to know about the mainstream digital attack.
Doxing – abbreviated from “dropping documents” – is a form of Open Source Intelligence (OSINT) where an actor publicly shares online information or data about a specific individual or group of individuals. Doxing often reveals identifying information about an adversary and is almost always a malicious attack to hurt the victim.
Doxing is a term that first originated alongside the boom of the internet and black hat culture. Within the hacking community, doxing is an intimidation tactic to unmask the otherwise anonymous details of another user. With user interactions expanding to entire communities and remote connections, doxing is easier than ever and present across today’s social media platforms.
The list of tactics, techniques, and procedures (TTP) used by threat actors to gain another user’s data is extensive. Common searches include scanning public records, phone records, social media, and WHOIS domain information. Meanwhile, more advanced threat actors will utilize IP addresses, packet sniffing, and dark web data brokers to obtain personal details. Another widely used tactic for information gathering is phishing or the engagement and manipulation of another user’s trust.
Upon obtaining the documents in question, threat actors can dispose of the information as they please. Hackers can publish their findings under an anonymous account on a popular social media platform or another public-facing channel. In either circumstance, the hacker makes the personal details more accessible to other users by collecting and sharing the information.
| Deanonymizing | Revealing personal identifiable information of an anonymous individual |
| Targeting | Private or obfuscated personal information revealing circumstances |
| Delegitimizing | The disclosure of intimate details to damage an individual’s credibility |
More niche examples of doxing include:
Keeping a low profile online can be difficult in an era where a brand is everything. Personal details about users – whether inadvertently available on social media or through a data breach on a long inactive account – are everywhere, giving persistent threat actors plenty to utilize.
Don’t believe you have anything to hide? Industry analysts offer a simple challenge: check how easy it is to dox yourself. Data owners can evaluate their current risk posture regarding a doxing attack and take steps for remediation.
From Google to Twitter and LinkedIn, searching for a first and last name can reveal a lot about an individual or company.
The pedestrian user may not know or care about their privacy settings. Still, threat actors are well aware of publicly visible information on social media, personal websites, and other digital platforms. Individuals and organizations with a longstanding digital presence have even more content for threat actors to parse through in search of a humiliating tweet or picture.
In addition to popular websites, users must also consider data breaches and existing digital accounts. Disasters and attacks for web service providers can result in emails, passwords, and more being published and exposing account user information.
Users can check if their email or phone was compromised in a data breach on Have I Been Pwned? Hopefully, no pwnage is found!
Though personal details like a mobile phone number, email accounts, or home address on an online CV may seem harmless, this information is vulnerable to misuse. Creating phone and email accounts specific to public-facing purposes is a popular preventative measure.
Across digital platforms and accounts, users should ensure all settings meet their privacy and cybersecurity expectations. In evaluating doxing risks, users with compromised credentials must act with haste to change any other accounts carrying the same username and password. In the same vein, users should consider deleting dormant accounts to avoid additional exposure.
If the user isn’t going off the grid entirely, preventing doxing or other attacks against one’s privacy means proactive monitoring. Users should conduct regular audits of publicly available data about themselves. Keeping up with current events is also an invaluable part of securing data as a user can act quickly to remediate the potential exposure.
Never mind the real threat doxing can bring to the intended individuals – a disturbing number of instances show the original documents published to be inaccurate and the recipient of post-doxing reactions misidentified. These examples often lead to digital or in-person harassment and reputational damage of individuals unbeknownst to any identifiable reason for the attack.
| When | Attack Details |
| August 2017 | After the “Unite the Right” rally in Charlottesville, Virginia, online users misidentified an attending protester as University of Arkansas assistant professor Kyle Quinn. Quinn was met with a barrage of harassment before online users learned it was not the same individual. |
| August 2014 | Known as “Gamergate,” several notable women in the video game industry were targeted in an online harassment campaign and doxing. Noted as a backlash to increasing feminism in gaming, victims received extensive attacks at the time and for years after. |
| August 2014 | Known as “The Fappening,” a threat actor published 500 private pictures of celebrities to 4chan before their broader circulation. Apple stated the threat actor executed spear-phishing attacks to access the vendor’s cloud services suite, iCloud. In 2018, George Garofano pleaded guilty to the attack. |
| March 2013 | Multiple celebrities and political figures, including Kim Kardashian, Ashton Kutcher, Jay-Z, Joe Biden, and Hillary Clinton, were the victims of doxing their financial details. In 2015, Mir Islam pleaded guilty to the attack. The US DOJ detailed the string of attacks in 2013 against dozens of victims. |
Doxing can ruin lives, as it can expose targeted individuals and their families to both online and real-world harassment. But is it illegal?
The answer is usually no: doxing tends not to be illegal, if the information exposed lies within the public domain, and it was obtained using legal methods. That said, depending on your jurisdiction, doxing may fall foul of laws designed to fight stalking, harassment, and threats.
It also depends on the specific information revealed. For example, disclosing someone’s real name is not as serious as revealing their home address or telephone number. However, in the US, doxing a government employee falls under federal conspiracy laws and is seen as a federal offense. Because doxing is a relatively recent phenomenon, the laws around it are constantly evolving and are not always clear cut.
Regardless of the law, doxing violates many websites’ terms of service and, therefore, may result in a ban. This is because doxing is usually seen as unethical and is mostly carried out with malicious intent to intimidate, blackmail, and control others. Exposing them to potential harassment, identity theft, humiliation, loss of jobs, and rejection from family and friends.
Read more on protection here
What to do if i’ve been doxed, including How to Respond
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
This post was last modified on 30 November 2022 6:56 PM
British high street chain WH Smith has recently revealed that it was hit by a…
As banks worldwide roll out Voice ID as a means of user authentication over the…
In the era of digital transformation, cybersecurity has become a major concern for businesses. When…
In today's digital age, cybersecurity threats have become a significant concern for businesses of all…
The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…
One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…
Leave a Comment