Doxing (short for "dropping documents,"
"docs," or "dox" is when a hacker or other Internet user
captures information from someone or a group and posts it online without your
consent. While we've seen celebrities, politicians and social media influencers
doxed in recent years, anyone (and their personal information) can become the
target of someone's malicious scheme.
Depending on what the controller's goals are, there is a wide
range of personal data, a physical address, contact information or bank account
information, that they might seek to dig up and display all over the internet.
But what is doxing, exactly? In this article, we'll take a look
at what doxing is and how it works, how to protect ourselves, and why there's a
blurry line as to whether or not this practice is illegal.
How does doxing work?
Doxing (sometimes spelled "doxxing") is a malicious
act in which hackers or other online threats are interested in exposing the
identity of someone who is trying to remain anonymous, or want to humiliate or
harass someone who wants to remain anonymous private.
With all of our personal information floating around the
internet, doxers can access a lot of this private information in completely
legal ways.
If you've ever uploaded your CV to a public website while
looking for a job, for example, your email address, physical address, and
mobile number could be publicly available to anyone who's interested.
Likewise, if you've ever owned or registered a domain name and
website, you may have provided a piece of personal information that can be
easily accessed with a simple, free, and quick search.
Methods used for doxing
There are all sorts of ways hackers and malicious users can get
your personal information and identity online. For determined and technically
savvy hackers and doxers, hunting for data on the Internet can be very easy.
Here are some of the most common and effective ways doxers can
get the information they want:
Cyber bullying on social media
Once public sharing is established, social media accounts are
completely open to anyone interested in looking through them. A snoopy could
access any personal or private data that someone thinks they are sharing with
their family and friends online.
Various account security questions are often created from
relationships with people, family members, names of pets, and schools you went
to. If any of those things are made public on the Internet, a stalker can
quickly find them.
Perform a WHOIS lookup on domain names
When business owners register a domain for their website, they
can decide whether or not to provide sensitive information such as phone
numbers, physical home or business addresses, and email addresses. A quick
search can bring up this information without the need for technical knowledge.
Username Tracking
Doxers can track usernames across apps and websites, and generate
a profile based on the individual's behavior. This is especially effective on
social networks like Reddit and Twitter, where target users believe they are
anonymous, but are actually quite easy to locate. All the data is collected
together and used against the target.
Government records to steal personal information
Marriage agencies, business license dealers, county record
providers, traffic, and many other government websites have public records
available for searching. While employees can use them to check criminal records
or driver's licenses, among other things, anyone can access this personal
information that is made available to the public.
Phishing scams to steal personal information
Phishing has long been a way hackers and cybercriminals steal
sensitive data from their victims. If the doxers are looking for a specific
piece of information, they might try to fish for it. They could pose as a major
financial institution and ask for specific identifying information via email.
Or they could try to trick victims into clicking a malicious link that would
allow attackers to access their devices and leak their websites and apps.
Track your IP address
Once a hacker has located your IP address, they also find your
physical location. This could open your Wi-Fi and Internet Service Provider
(ISP) to hacking and cyberattacks.
Once they have your physical address, they might as well
cross-reference it through other outlets to dig up all sorts of information.
And that's without considering that credit card companies often use addresses
and zip codes to confirm card use.
Reverse phone lookup services
If your mobile number is available online, it will be very easy
to target it through SMS scams or vishing (phishing through calls). Also once
cybercriminals have the number, they can use reverse mobile phone lookup
services to find out more about the person behind this number.
This number could also cause a domino effect revealing more
valuable information in a doxing attack.
Packet sniffer
Packet sniffers are pieces of hardware or software that analyze
and monitor network traffic.
Doxers could use them to filter information coming from a
particular source. Once they have breached network security protocols, they can
collect information such as passwords, bank account logins, and credit card
numbers.
Use websites of information brokers
An entire industry is dedicated to serving targeted advertising
agencies by aggregating user data, search habits, and trends.
While most buyers are within the world of advertising, anyone
can access this vast collection of data. If a doxer is looking for a specific
user, it can easily track a device via GPS coordinates and IP addresses.
What information do the doxers want?
There are many things that doxers might be interested in while
leaking a target's personal information, using the methods mentioned above. It
may be easier than you think to find and dox:
●
Phone numbers, email addresses, and other
contact information
●
social security numbers
●
Physical addresses of home or business
●
Members of the family
●
Online search histories
●
Credit card provider, numbers and details
●
Bank account information
●
social media accounts
●
Personal photos
●
Tweets, posts and statuses
●
Other personal details
Is doxing legal?
Briefly? Depends on the situation. Doxing is not illegal if the
collection of personal information was done legally. For doxing to enter
illegal territory, doxers must publish private information that was never
supposed to be available. This could be a credit card number, bank account
details or an unlisted phone number.
If doxing results in cyberbullying or personal threats to the
victim, it could also be considered a crime and could involve law enforcement.
Doxing is managed differently depending on its severity, too. If
a hacker revealed someone's name or a public phone number for a business, it
might not be taken as seriously in the eyes of the law as sharing someone's
physical address or financial accounts.
Regardless of how governments and law enforcement see it, many
websites have doxxing rules in their terms of service. So if a hacker used a
particular social network to dox someone, their account could be suspended or
deleted, although the legal repercussions could be minimal.
How to protect yourself from doxing
With all the ways available to expert hackers, and would-be
doxers, it seems that anyone can become a victim. If you've ever posted on
social media, left comments on social media, gotten caught up in a forum chat,
or been active in comment sections of media articles, you could become a
target.
While the aftermath of doxing can be devastating, there are some
online tools available to users that might help you protect yourself from
doxing:
1. Mask your IP address with a VPN
Once the hacker has figured out your local IP address, they will
also figure out a physical address and the corresponding Internet Service
Provider (ISP) account. This not only reveals your home address and other
information, it can even make your Wi-Fi connection a target for hacks. You can
also use proxy sites to hide your IP, although they are not always effective.
A Virtual Private Network (VPN) hides your real IP address and
assigns you a new anonymous one from one of its thousands of servers located around
the world. VPNs also encrypt all of your data end-to-end on a network, so
hackers won't be able to intercept your data on unsecured Wi-Fi networks.
As
the first line of defense against doxing attacks, we can recommend NordVPN. It
is consistently at the top of our rankings, reviews, and lists for security and
privacy.
2. Take advantage of premium cybersecurity
With the recent surge in ransomware and other malware attacks,
users are taking their cybersecurity very seriously. Make sure you have a good
antivirus that protects you from doxing attacks that come from malware and
malicious downloads.
Good software can find and quarantine new threats before they
enter your system. That way, it can ensure your threat protection is active and
constantly up-to-date, in case you accidentally download malicious files or
click the wrong link.
3. Strong passwords
Be sure to choose passwords with combinations of upper and lower
case letters, numbers, and symbols. Remember that they are different on all
websites and other accounts. One of the worst mistakes users can make is to
have a password stolen in a breach and have hackers successfully use that
password on other accounts.
It's also a good idea to set up separate email accounts for
different platforms.
If you're having trouble creating and remembering complex
passwords, it might be time to think about using a password manager. Take a
look at 1Password, our recommendation this year.
4. Private social media accounts and usernames
When creating new usernames, make sure it's not your first and
last name followed by a number. If a hacker or doxer gets your name, a quick
data cross on LinkedIn or Instagram will bring up that username.
For most accounts that are connected to your professional life,
like LinkedIn, Facebook, and Twitter, you'll want to use your real name. In
those cases, be sure to check your privacy settings and set them to the highest
level.
You only want your address, phone number, employment history, or
other private information to be available to the people you agree to connect
with. This also goes for all your accounts. Never share anything you don't feel
safe with someone sharing in public.
5. Different usernames for different platforms
If you use the same username for Reddit, Snapchat, Twitter, and
Instagram, and are active on all platforms, a doxer could do a summary of your
history in a matter of minutes.
If you're active on online forums and comment sections, be sure
to use different usernames for different sites and subscriptions. For people
who actively post politically or express opinions on movie forums, something
you said in one group could be used against you in another.
Remembering all those usernames and passwords can be a chore, so
this is another opportunity where a password manager could help.
6. Do not participate in tests from sources that are not
trusted
Personality tests or other types of tests can be fun if you're
on a popular website like Buzzfeed, Mental Floss, or Zimbio that doesn't
require you to log in. But be wary when a random website asks you to log in via
Facebook, Google or other ways.
These online tests often ask things that can elicit answers to
various account security questions, such as the name of your first pet, the
school you went to, and the name of your oldest friend.
While you think you are just running a fun test, the personal data you are exposing could be a treasure trove for doxers and cybercriminals.