Doxing: A comprehensive threat analysis
As IT professionals, we tend to focus on improving the security of devices, networks and other infrastructure. However, in a world where online abuse increasingly spills over into real-world harassment, a new perspective may be required. Perhaps it’s time we began approaching personal security the same way we would for a business: identifying risk factors, minimizing the chance of a breach and developing a response plan in case the worst should happen.
Doxing is one of the most common methods used to silence people online. This is when an individual’s personal information (full name, home address and so on) is deliberately leaked with the intention of making their lives as difficult as possible. There is strong potential for physical harm to the victim (including from follow-up threats like SWATTING), and as a result, it is imperative that we work to address the threat that doxing poses.
Step 1: Identifying individuals most at risk of doxing
Despite how damaging doxing can be, there’s a notable lack of research on the phenomenon. Perhaps the most empirical study to date is Fifteen Minutes of Unwanted Fame: Detecting and Characterizing Doxing (PDF), in which researchers were able to construct a profile of the typical doxing victim after monitoring the most popular leak-sharing platforms (Pastebin, 4chan and 8chan) for several weeks.
After examining over 4,500 sets of leaked documents, researchers found that the victims were predominantly male (82.2%) and located in the USA (64.5%), with an average age of 21. However, victims ranged from 10–74 years old, so age alone clearly isn’t a reliable indicator of risk. Neither, it seems, is the victim’s occupation, with high-profile hackers, gamers and celebrities accounting for just 16.2% of the collected leaks.
It’s also worth noting that in the majority of doxing incidents (around 97%), no justification was provided. Of those that did include a reason, the two most common were bringing someone to justice and getting revenge. However, even combined, these account for a very small subset of the available data.
Step 2: Discovering what information is available to attackers
The victim’s home address is by far the most commonly-included information, appearing in 90.1% of leaks. Aliases and usernames are often included, as are the victim’s phone number, email address, date of birth, IP address, ISP and details about their family.
What’s especially troubling is that the information above is often all that’s required to correctly answer many people’s security questions. This opens up numerous new avenues for attack: the user’s social media accounts could be hijacked, their online bank account could be drained or their internet access disconnected, leaving them even more vulnerable and isolated than before.
We often forget just how much of our personal information is available online. But make no mistake: a determined attacker can find out far more about you than you’d expect. In fact, it’s trivially simple to find your boss on LinkedIn or make an educated guess at your home address based on your Facebook photos. If they’re willing to spend a few dollars, the situation gets even worse, thanks to publicly-available criminal record databases and people-finding services.
Step 3: Reducing the likelihood of a personal data leak
The best way to protect yourself from doxing is to limit the personal information you reveal online. You can do this by using several different email addresses and usernames, as well as by refraining from posting details like the city you live in, which company you work for or what school you went to.
The problem with this approach is that attackers can glean information from other sources. For instance, modern cameras often include GPS information in your images’ metadata. Unless this manually stripped using a tool like ExifPurge, anyone can see exactly where the photo was taken. Likewise, unless you’re using a Virtual Private Network, anyone with your IP address can use geolocation tools to get a rough estimate of where you live.
It would be wise to assume that people will attempt to access your accounts. To prevent this, use a different, mixed-case password for each service and ensure that your security questions are sufficiently difficult to answer. It’s also difficult to overstate the importance of enabling two-factor authentication on any service that supports it.
Step 4: Responding to a personal data leak
It’s important to move fast in the event of a data breach. If your home address has been leaked, your number one priority should be relocation: ideally to a hotel, but in a pinch, a friend or relative’s home will do, as long as they know about your situation (and haven’t had their information disclosed as well).
The next step is to inform your local police department, credit bureau and bank. This not only allows you to protect your savings and block unauthorized credit applications, but it also reduces the chance that the police will send an armed response to your home without first checking in. It’s also worth asking whether your local department has an anti-SWATTING watchlist, although these are still relatively uncommon outside of flagship programs in Seattle and Wichita.
Finally, you can try to have the leaked information taken down. For platforms like Facebook and Twitter, this is usually as simple as reporting the post or account, but there’s little you can do to prevent your data from being shared on less-scrupulous bulletin boards or the dark web.
While it’s difficult to predict how long an organized doxing campaign will continue to harass the victim, the 24/7 news cycle ensures that there will be a new target soon afterward.
It’s unfortunate, but in cases where the harassment continues for an extended period of time, all a victim can really do is pursue legal action (which can be prohibitively expensive) or lock down their accounts, change their phone numbers and email addresses and move home.
Doxing is relatively simple to do, yet has significant, long-lasting consequences for victims. As it’s currently difficult to halt the rapid dissemination of leaked data online, the best defense is to be mindful of the personal information you reveal and to actively prepare for a major breach ahead of time.