Doxing Can Ruin Your Life OR Get You Arrested

Post a Fraud Alert:

Doxing, or doxxing (from “dox”, abbreviation of documents), is the Internet-based practice of researching and broadcasting private or identifying information (especially personally identifying information) about an individual or organization. The methods employed to acquire this information include searching publicly available databases and social media websites (like Facebook), hacking, and social engineering. It is closely related to Internet vigilantism and hacktivism.

Doxing may be carried out for various reasons, including inflicting harm, harassment, online shaming, extortion, coercion, business analysis, risk analytics, aiding law enforcement or vigilante versions of justice.

Initial efforts around doxing were largely related to internet discussion forums on [Usenet]. One of the first documented doxing events was the publication of a “Blacklist of Net.Nazis and Sandlot Bullies” which listed names, email addresses, phone numbers, and mailing addresses of individuals the author objected to.

Doxware is a cryptovirology attack invented by Adam Young and further developed with Moti Yung that carries out doxing extortion via malware. It was first presented at West Point in 2003. The attack is rooted in game theory and was originally dubbed “non-zero sum games and survivable malware”.

The attack is summarized in the book Malicious Cryptography as follows:

The attack differs from the extortion attack in the following way. In the extortion attack, the victim is denied access to its own valuable information and has to pay to get it back, where in the attack that is presented here the victim retains access to the information but its disclosure is at the discretion of the computer virus.

Doxware is the converse of ransomware. In a ransomware attack (originally called cryptoviral extortion), the malware encrypts the victim’s data and demands payment to provide the needed decryption key. In the doxware cryptovirology attack, the attacker or malware steals the victim’s data and threatens to publish it unless a fee is paid.

Common techniques

Once people have been exposed through doxing, they may be targeted for harassment through methods such as harassment in person, fake signups for mail and pizza deliveries, or through swatting (dispatching armed police to their house through spoofed tips).

A hacker may obtain an individual’s dox without making the information public. A hacker may look for this information in order to extort or coerce a known or unknown target. Also, a hacker may harvest a victim’s information in order to break into their Internet accounts, or to take over their social media accounts.

The victim may also be shown their details as proof that they have been doxed in order to intimidate. The perpetrator may use this fear and intimidation to gain power over the victim in order to extort or coerce. Doxing is therefore a standard tactic of online harassment and has been used by people associated with 4chan and in the Gamergate and vaccine controversies.

The ethics of doxing by journalists, on matters that they assert are issues of public interest, is an area of much controversy. Many authors have argued that doxing in journalism blurs the line between revealing information in the interest of the public and releasing information about an individual’s private life against their wishes.

If you are a Doxing Victim:

Doxing is against the Terms of Service of just about every web platform. If you report the doxing to the platform, they’ll usually suspend the person’s account, or force them to take the post down or delete the post in question. But if you’re facing really coordinated harassment, sometimes by that time it’s too late, because they can amass a troll army at that point. They can keep changing platforms.

That’s why it’s good to have a plan, and a backup person who will be your right hand in an emergency. If you’re being doxed, it can sometimes be in conjunction with something else terrible that’s happening to you. So you want to be able to get some distance from the whole situation.

In a recent survey:

More than 90 percent of the doxed files included the victim’s address, 61 percent included a phone number, and 53 percent included an email address. Forty percent of victims’ online user names were made public, and the same percentage revealed a victim’s IP address. While less common, sensitive information such as credit card numbers (4.3 percent), Social Security numbers (2.6 percent), or other financial information (8.8 percent) was also revealed.

How you can get doxxed and how to avoid getting doxxed

Cybercriminals and trolls can be very resourceful in how they doxx you. They can use a single clue, and then follow it up until they slowly unravel your online persona and reveal your identity.

Here’s what you should look out for if you want to stay anonymous on the web:

Revealing your identity through the information you post – The more you write on forums and message boards, the higher your chances become of accidentally revealing personal information about you. If you use social media, it’s even more dangerous.

Packet sniffing – Packet sniffing is a hacking method where the doxxer intercepts your Internet data, looking for valuable information about you, such as emails, passwords, credit card data and so on.

Matching information between an online persona and social media profile – Ross Ulbricht was the founder of the infamous darknet website Silk Road, which traded drugs, guns and so on. To hide his identity, he used the nickname “Dread Pirate Roberts”. The police were able to connect Ross Ulbricht and Dread Pirate Roberts partly because both of these “personas” said they were a) libertarians b) followers of the Mises Institute c) both of them wanted to create “an economic simulation of what it would be like to live in a world without systemic use of force”.

Doxxers analyze file metadata – Microsoft Office files such as Word or Excel documents have something called “metadata”. This is information about the document, which you can find by right-clicking a Microsoft Office file -> Properties -> Details

Doxxing through IP logging – IP loggers are tools used on the Internet to sniff out a person’s IP address. In a nutshell, these loggers attach an invisible code to a message or email, and once the receiver opens the message, the code tracks his IP address and secretly sends it back to the IP logger.

Doxxing prevention

Protect your IP address with a VPN/Proxy – VPN is short for Virtual Private Network, and acts as a filter for Internet traffic. Basically, the traffic from your PC or other device goes into the VPN and acquires its identifying properties, meaning its IP address, location, and any other similar data. It even encrypts your data and makes it so that even your ISP isn’t able to figure out your IP address.

Don’t use the Login with Facebook/Google buttons – Most apps and websites that require you to register now use the “Login with Facebook” or “Login with Google” buttons. These login methods register you on the website by using the email you used to create your Facebook or Google account. But on top of that, you will automatically give the website information attached your Facebook/Google account, such as current city, job, phone number, your native language, family info and more.

Don’t use your personal email to register on forums or other similar websites – Chances are your main email goes something like this: [firstname][lastname]@gmail.com/yahoo.com/outlook.com. It’s a simple, professional-looking combination. However, it immediately gives away your identity if someone learns it.

Hide your personal data from a website’s WHOIS – Owning a blog or website requires that you register the Internet domain with some personal information. This information is then stored in a database called WHOIS. The problem is that this database is public, meaning everyone can see the information used to register a website, including addresses, phone numbers and so on. Below you can find the WHOIS information for facebook.com:

Remove yourself from data broker websites – Some websites function as a sort of Yellow Pages. They mine the Internet for data and gather it all in one place. This can include an address, social media profile, photos, phone number, email.

Make sure Google doesn’t have any personal information about you – This can be a pretty tough undertaking since you would have to go up against one of the world’s biggest corporations. Simply google your name, and see if you’ve revealed who you are on internet forums, Reddit, niche social networks, messaging boards or any other similar websites. Just how much info does Google have on you? Check out your Google History by typing https://myactivity.google.com/myactivity in your browser when logged in to a Google account. Google knows your location as well – you can find your personal Google map with all the places you visited at the https://www.google.com/maps/timeline URL.

Know your rights, and use the law whenever possible – If you live within the EU or Argentina, then you benefit from a so-called “right to be forgotten”. This allows you to petition a search engine to remove search results concerning you. The legal options available in the United States are more limited, but Google for one does offer an option for you to remove content about you.