{"id":18281,"date":"2021-04-29T19:27:52","date_gmt":"2021-04-29T15:27:52","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/doxing-methods\/18281\/"},"modified":"2021-04-29T19:27:52","modified_gmt":"2021-04-29T15:27:52","slug":"doxing-methods","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/doxing-methods\/18281\/","title":{"rendered":"How to protect yourself from doxing"},"content":{"rendered":"

Every time you like something on a social network, join a community of neighborhood residents, publish your CV, or get caught on a street camera, the information accumulates in databases. You may have no idea how vulnerable leaving all those traces of information \u2014 every action on the Internet and almost every action in the real world \u2014 leaves you.<\/p>\n

The wrong biker, driver, father<\/h2>\n

Doxing can happen to anyone, as these three anecdotes illustrate.<\/p>\n

When Maryland cyclist Peter Weinberg began receiving<\/a> insulting messages and threats from strangers, he learned that his workout app was publishing his cycling routes and somebody had used them to deduce that Weinberg had recently passed not far from where somebody had attacked a child. The crowd quickly \u2014 and incorrectly \u2014 identified him as the suspect and found and published his address. In a very familiar pattern, the subsequent corrective tweets and other clarifications were shared far less widely than the original information was.<\/p>\n

On the other side of the world, an animal rights activist from Singapore published the name and address of a person whose car hit a dog<\/a>, with a call to \u201cgive her hell.\u201d According to the car\u2019s owner, the public accusations harmed her career<\/a>: After vigilantes figured out where she worked, hate posts hit the company\u2019s Facebook page. As it happens, another person was driving the car at the time of the accident.<\/p>\n

A more famous iteration of the story involves former baseball pro Curt Schilling, who saw tweets about his daughter he considered inappropriate and offensive. Schilling tracked down their authors (which he said took less than an hour), collected a sizable dossier on each, and posted<\/a> some of the information on his blog. The offenders who were connected with the baseball community were fired or removed from their athletic teams within a day.<\/p>\n

What happened?<\/h2>\n

All three stories provide simple examples of doxing<\/a>. The word describes the collection and online publication of identifying data without the owner\u2019s consent. Apart from being unpleasant, it can also be damaging in real life, to the victim\u2019s reputation, employment, and even physical safety.<\/p>\n

Doxers\u2019 motives vary. Some believe they\u2019re exposing criminals; some are trying to intimidate their online opponents; still others are in it to avenge personal slights. Doxing as a phenomenon emerged in the 1990s, but it has since become much more dangerous \u2014 and with the volume of private information now available to all, doxing really requires no special skills or privileges.<\/p>\n

We\u2019re not here to analyze the legality or ethics of doxing. As security experts, our task is to outline doxers\u2019 methods and suggest ways to protect yourself.<\/p>\n

Doxing: A look from the inside<\/h2>\n

Because it requires neither special knowledge, nor many resources, doxing has become very common. The tools doxers use tend to be legitimate and public, too.<\/p>\n

Search engines<\/h3>\n

Ordinary search engines can provide a lot of personal information, and using their advanced search functions (for example, searching among specific websites or file types) can help doxers find the right information faster.<\/p>\n

In addition to first and last name, a nickname can also betray a person\u2019s online habits. For example, the common practice of using the same nickname on several websites makes things easier for online detectives, who can use it to aggregate comments and posts from any number of public resources.<\/p>\n

Social networks<\/h3>\n

Social networks, including specialized ones such as LinkedIn, contain a wealth of personal data.<\/p>\n

A public profile with real data is basically a ready-made dossier. Even if a profile is private and open to friends alone, a dedicated investigator can collect bits of info by scanning a victim\u2019s comments, communities, friends\u2019 posts, and so forth. Add a friend request, perhaps from someone posing as a job recruiter, and you arrive at the next level, social engineering.<\/p>\n

Social engineering<\/h3>\n

A hallmark of many attacks, social engineering takes advantage of human nature to help doxers gain information. Using publicly available information about a mark as a starting point a doxer can contact the victim and persuade them to give up their own information. For example, a doxer might appear in the guise of a medical admin or bank rep to try to wheedle information out of a victim \u2014 a ploy that works a lot better with a few bits of truth sprinkled in.<\/p>\n

Official sources<\/h3>\n

People in the public sphere tend to have the hardest time maintaining network anonymity, but that doesn\u2019t mean rock stars and pro athletes are the only ones who need to safeguard their personal information.<\/p>\n

A doxer may even use an employer to betray a potential doxing victim\u2019s confidence, such as with a full name and photo on a corporate About Us page or full contact info on a departmental site. Sounds innocent, but general company info gets you close to the person geographically, and the photo may lead to their social network profile.<\/p>\n

Business activities, too, typically leave traces on the Internet; and, for example, quite a bit of information about company founders is publicly available in many countries.<\/p>\n

Black market<\/h3>\n

More sophisticated methods include use of nonpublic sources, such as compromised databases belonging to government entities and businesses.<\/p>\n

As our studies have shown, darknet outlets sell all sorts of personal data<\/a>, from passport scans ($6 and up) to banking app accounts ($50 or more).<\/p>\n

Professional data collectors<\/h3>\n

Doxers outsource some of their work to data brokers<\/em>, companies that sell personal data collected from various sources. Data brokerage is not a custom criminal enterprise; banks use data from brokers, as do advertising and recruitment agencies. Unfortunately, however, not all data brokers care who buys the data.<\/p>\n

What to do if your data has leaked<\/h2>\n

In an interview with Wired<\/em>, Eva Galperin, the Electronic Frontier Foundation\u2019s director of cybersecurity, suggests<\/a> that if you learn that your personal information has been misused, you should contact any social networks where doxers published your data. Start with customer service or tech support. Disclosure of private information without the owner\u2019s consent normally constitutes a breach of user agreement. Although doing this will not solve the problem completely, it should reduce potential damage.<\/p>\n

Galperin also recommends blocking your social network accounts or finding someone to manage your accounts for some time after an attack. Like other available post-breach measures, it can\u2019t undo the damage, but it might just save your nerves and perhaps help you avoid some difficult situations online.<\/p>\n

Protecting yourself from doxing<\/h2>\n

You are certainly better off reducing the probability of a data leak than dealing with its consequences. Immunity doesn\u2019t come easy, though. For example, you can hardly influence data dumps or leaks from governmental or social network databases. You can, however, make doxers\u2019 jobs harder.<\/p>\n

Do not reveal secrets on the Internet<\/h3>\n

Keep your personal data off the Internet \u2014 especially your address, phone number, and photos \u2014 to the extent possible. Make sure any photos you post contain no geotags<\/a>, and likewise that documents hold no private information<\/a>.<\/p>\n

Check your social network account settings<\/h3>\n

We recommend choosing strict privacy settings on the social networks and services you use, leaving profiles open to friends only, and monitoring your list of friends regularly. You can use the step-by-step instructions on our Privacy Checker<\/a> portal to set up social networks and other services.<\/p>\n

Protect your accounts against hackers<\/h3>\n

Using a different password for every account may be a hassle (although it doesn\u2019t have to be<\/a>), but it\u2019s an important safeguard. If you use the same password everywhere, and one of your services leaks it<\/a>, then even the strictest privacy settings won\u2019t help you.<\/p>\n

We recommend using a password manager. Our solution, Kaspersky Password Manager<\/a>, saves not just passwords, but also the websites and services they access, leaving only one master key for you to remember. We also recommend using two-factor authentication wherever you can, to further strengthen your defense.<\/p>\n\n

Play it smart with third-party accounts<\/h3>\n

If possible, avoid signing up for websites using social network or other accounts containing your real data. Associating one account with another makes your online activities easier to follow, for example, by linking your comments with your own name.<\/p>\n

To solve the problem, keep at least two e-mail accounts, reserving one for your real-name accounts and the other for websites where you prefer to stay anonymous. Use different nicknames for different resources as well, to make collecting info about your Internet presence harder.<\/p>\n

Try building a dossier on yourself<\/h3>\n

One way to learn about the state of your privacy is to play the role of a doxer and search the Internet for information about yourself. That way, you can learn about any issues your social network accounts have and find out which bits of your personal data are roaming the Internet. What you find can help you track down the source of such data and possibly even learn how to have it deleted. To keep an eye out passively, you can set up Google<\/a> to notify you about any new search results on queries containing your name.<\/p>\n

Delete info about yourself<\/h3>\n

You can report any content infringing on your privacy and ask search engines and social networks to delete your data (for example, here are instructions for Google<\/a>, Facebook<\/a>, and Twitter<\/a>).<\/p>\n

Social networks and other services typically disallow unauthorized publication of personal data through their use policy, but in reality, only law enforcement authorities can get a handle on certain dubious resources.<\/p>\n

Legal data brokers normally allow individuals to delete their personal info, but based on the sheer number of such companies, removing everything won\u2019t be easy. At the same time, however, there are agencies and services that can help erase digital tracks. You\u2019ll have to find the balance of ease, thoroughness, and cost that works for you.<\/p>\n

Quick tips<\/h2>\n

One can get targeted by doxing at any time, with or without apparent cause. These tips will help you preserve your online privacy:<\/p>\n