What is doxing and how to protect yourself?

Did you know how to protect yourself against doxing?

  • Yes

    Votes: 9 29.0%
  • Not really

    Votes: 19 61.3%
  • I knew some ways

    Votes: 3 9.7%

  • Total voters
    31

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Let’s admit it: these days our level of self-disclosure is at sky high. Websites, discussion forums, social media profiles filled up with personal details, photos, geotags – all telling the world about who and where you are. We leave our footprints all over the Internet. And if there happens to be someone who is eager enough to collect all that info and share it publicly, you are likely to become a victim of doxing.

What is doxing?
Searching, collecting and sharing personally identifiable information publicly against the target’s will is called doxing. The word ‘doxing’ comes from ‘dropping docs’ – a technique old-school hackers used as a revenge tactic back in the IRC times. What it meant was stripping away one’s anonymity to intimidate, harass, or even to draw the attention of law enforcement agencies. Of course, hackers, who strive to stay anonymous by any means, considered doxing a cruel attack.

Fast-forward to these days, doxing is a privacy-invading tactic that cyberbullies employ. You don’t even have to be a public figure – absolutely anyone can become a victim if they get on the radar of a bad character.

Just imagine: you leave a comment on an Instagram post. The owner of the page doesn’t like your opinion and decides to teach you a lesson by doxing you – publicly revealing your real identity, email address, telephone number, the company you work for and other details he or she can find on the Internet.

How harmful can doxing be?
Motives for doxing always come from a negative place – to humiliate, cause public embarrassment or harm reputation, either personal or professional. Attackers may seek to bring their target to justice in the public eye, causing a potential nightmare of social backlash.

Again, doxing involves only the info that already exists somewhere on the Internet and can be dug out one way or another. The essence is putting it all together, piece by piece, and making it easily accessible to anyone. Doxing material can be a mix of personal details, financial documents, network data, embarrassing photos and other private files, signed petitions, as well as publicly shared opinions on social networks and discussion forums. Regardless of its extent, doxing is a serious privacy violation.

How do doxers collect info?
Methods for collecting information range from easy-as-pie info harvesting to advanced hacking.

Sometimes all it takes is compiling publicly available data. Combine a high level of self-disclosure with a low level of security – and voilà! An attacker can learn a surprising amount about a target by just grasping info that is publicly available online.

Here are other common techniques:

  • Wi-Fi (packet) sniffing
Public Wi-Fi networks are extremely vulnerable to hacking. A doxer can intercept your Internet connection without great effort and see real-time data going through the network. This means that your sensitive data, such as passwords and credit card data, is at high risk to be compromised.

  • Analyzing file metadata
By simply looking at your file metadata, an attacker can learn a great deal about you. For example, if you go to the ‘Details’ section of an MS Office file, you will see who created and who edited the file, as well as when and from what company any edits were made. Similarly, photos have the so-called EXIF data. It shows the model of a smartphone or camera, its resolution and the time when the photo was taken. Moreover, it can also reveal the location if GPS was enabled at the time of taking the photo.

  • IP logging
Hackers can slip an IP logger – an invisible piece of code – into your device through an email or a message so they can sniff out yours IP address.

Of course, the most persistent doxers can go far beyond than the mentioned, so it’s important to know what prevention steps you can take to avoid unpleasant consequences of doxing.

How can you prevent getting doxed?
The good thing is, there are steps you can take to avoid doxing or at least to minimise its harm.
Follow these tips without delay to get peace of mind:

#1: CHECK WHAT INFO ABOUT YOU CAN BE FOUND ONLINE
Search engines are likely the first place trolls go to collect info about a target. You can do the same to see what the Internet has to tell about you – simply run a search with your name on DuckDuckGo in the incognito mode.Why not Google? The great thing about the DuckDuckGo search tool is that it doesn’t do profiling and deliberately shows the same results to all users. This way, you can get the same view as a potential doxer.

Once you know what info about you is out there, try to take as much content off as possible. However, it can be challenging.

#2: USE TWO-FACTOR AUTHENTICATION
For trolls, breaking into your online accounts is like opening Pandora’s box. This is why you should protect all your accounts by enabling two-factor authentication if there’s an option to do so. Even if an attacker happens to know your password, they will bump into a wall at the next authentication step.

Although any kind of 2FA is better than nothing, it is recommended to avoid choosing SMS as a method of verification, as messages still can be intercepted. It is better to use trusted authentication apps, such as Google Authenticator.

#3: SECURE YOUR PASSWORDS
If you haven’t changed your passwords for a while or, even worse, you’re using the same one for several accounts, wait no longer and create strong, unique passwords for each online service you’re signed up to.

What makes a password strong? Using at least 10 unique characters and making use of passphrases. Nevertheless, lengthy passwords are difficult to remember, so it is recommended to use a password manager, such as LastPass. Not only will it generate unique, lengthy passwords, but also keep them secure without you having to remember them all – just a single master password.

#4: CONTROL YOUR PRIVACY SETTINGS ON SOCIAL NETWORKS
People tend to share a lot of personal details on social networks, both intentionally and accidentally. However, to avoid potential harm of doxing, the less info you reveal to strangers the better.

Your Facebook profile can be a goldmine for doxers if you don’t pay attention with whom you share your info. Make your profile, photos and status updates visible to friends only. Also, go through your ‘friends list’ regularly to eliminate those who you don’t know or don’t have to be in contact anymore.

Facebook lets you customize your privacy settings so you can stay in control of what you share and with whom. Dedicate some time to review your profile settings and adjust them for the sake of privacy.

#5: USE A VIRTUAL PRIVATE NETWORK (VPN)
A virtual private network is like a secure tunnel for your Internet traffic. Connecting to VPN encrypts your online data and hides your real IP address, so no snoopers could sniff your private information. With VPN, you can feel secure even on public Wi-Fi networks.

When choosing a VPN service, pick the one that follows a strict no-logs policy. Extra security features, such as protection against malware and an ad blocker also comes in handy when cutting the ways doxers might try to access your private data.

Original article:
What is doxing and how can you protect yourself? | NordVPN
 
F

ForgottenSeer 58943

It's impossible to dox me. I'm hardened against it, as is my family.

Largely because my attorney created a cease and desist letter for me I send around to get our names scrubbed. Also I do a twice a year audit on what search engines find them opt-out of everything. That, along with the following practices;

1) When possible I use My10MinuteMail.com for disposable emails for temporary site registrations/product downloads/surveys.
2) I utilize fakenamegenerator.com to generate unlimited false identities used throughout the internet.
3) My entire street is blurred out on the main search engines and Google Earth. (That took some work!)
4) A bi-yearly audit of any identifiable information is done with all of the search engines, then the information is scrubbed.
5) I use a wide array of privacy tools, identity scrubbers and zero knowledge products/services.
6) I'm unpredictable, have no major patterns and change my systems up regularly.
7) My VOIP service allows me to create unlimited 'disposable' numbers to which the primary one all forwards.

In effect, it's quite improbable if not nearly impossible to dox me. I've recently extended this out to my family members as well since your weakest link is likely your largest attack vector. The only place I know of where my real name is used is Facebook. But I am careful what is posted, scrub my account every 30 days, and have high privacy settings being careful to friend only people I know personally and want to be friends with.
 

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
It's impossible to dox me. I'm hardened against it, as is my family.

Largely because my attorney created a cease and desist letter for me I send around to get our names scrubbed. Also I do a twice a year audit on what search engines find them opt-out of everything. That, along with the following practices;

1) When possible I use My10MinuteMail.com for disposable emails for temporary site registrations/product downloads/surveys.
2) I utilize fakenamegenerator.com to generate unlimited false identities used throughout the internet.
3) My entire street is blurred out on the main search engines and Google Earth. (That took some work!)
4) A bi-yearly audit of any identifiable information is done with all of the search engines, then the information is scrubbed.
5) I use a wide array of privacy tools, identity scrubbers and zero knowledge products/services.
6) I'm unpredictable, have no major patterns and change my systems up regularly.
7) My VOIP service allows me to create unlimited 'disposable' numbers to which the primary one all forwards.

In effect, it's quite improbable if not nearly impossible to dox me. I've recently extended this out to my family members as well since your weakest link is likely your largest attack vector. The only place I know of where my real name is used is Facebook. But I am careful what is posted, scrub my account every 30 days, and have high privacy settings being careful to friend only people I know personally and want to be friends with.

Wow @ForgottenSeer 58943, i wish i could do all that but it seems a heck of a lot of work for someone like me who is only a a bit of a novice when it comes to security but it has been interesting to read what steps you have taken :)
 

Daljeet

Level 6
Verified
Well-known
Jun 14, 2017
264
For me I try to be hidden by hiding my face from CCTV camera's and posting my original pictures in social networking because technology is changes now your face is key. Through camera and photo's easily detect your face and easily identify you.I have fear from facebook they have right now huge database of information including fotos of peoples.
 
D

Deleted member 65228

Everyone can be socially engineered, it's simply a matter of patience and experience. Someone out there will be capable of socially engineering you, but you have a trained eye and thus certainly won't be an easy target. It could start off with simple things which appear meaningless to you, but eventually each part joins together like a puzzle and further reveals your true identity.

Someone you know could also somehow discover your online identities and expose pieces of the puzzle, or someone you appear to get on well with may know more and thus they could be socially engineered.

Using cyber-security techniques for security such as a VPN/Proxy, switching online identities regularly, using fake e-mail addresses and what-not... It's only just the tip of the ice-berg. Social engineering when successful will make all of it meaningless for that specific scenario.

There's nothing that can be done to eliminate it entirely, it's just how our brains work. We can only make ourselves a stronger target but the vulnerability will always exist because we cannot simply change the way our brains work, we all have a weakness one way or another beneath the surface in which we may not even know it.
 
D

Deleted member 65228

For me I try to be hidden by hiding my face from CCTV camera's and posting my original pictures in social networking because technology is changes now your face is key. Through camera and photo's easily detect your face and easily identify you.I have fear from facebook they have right now huge database of information including fotos of peoples.
What about your friends though, do they have Facebook profiles and pictures while on a night out with you and lack privacy settings? Would they accept a random friend request and eliminate the point of the privacy settings? If not, what if somewhere online you found out of a friend of that friend of yours and stole their identity temporarily and made out that it was a new Facebook account, would they blatantly accept it then and thus give access to an attacker who may now be able to see potential photo's which include yourself?

What about your current profile, what if you used the same avatar elsewhere and some cross-reference searching led someone to another forum where the same avatar and writing style is used under a different name, and thus a background search on that name solves more pieces to the puzzle of who you are?

Hobbies, taste of music and films, games you play, various online handles, potentially even genuine location data from social networks or friends/friends of friends information, shared photos which include yourself (potentially from family referenced on yours or friends/friends of friends online network profiles), malware infection using a VPN kill-switch to expose your true IP, etc, etc.

You could leak so much about yourself with a single meaningless (to you) post online that it's not even funny, and each post can build up into a huge database profile of the individual and their personality/character.

What if someone managed to obtain a real e-mail from a hack dump leaked online which is matched to an online handle of yours? Now it's potential spear phishing with spoof email sender. Another attack vector. This alone could lead to numerous online profiles, social networking, maybe even expose your real first and/or last name or an entirely new online handle. Not to mention that it might be an old account and you may not be aware of the breach... So now what if the credentials are still valid from the old dump online and the attacker now signs in as you... More information becomes unveiled.

This is actually what government agencies/police do sometimes, they surveillance and build a huge profile of information regarding the target, and use this to narrow down potential candidates/learn more about what they are dealing with. Sometimes they could potentially literally spend years on one case if it's extremely high-target/value.

There's endless possibilities here.
 

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
Everyone can be socially engineered, it's simply a matter of patience and experience. Someone out there will be capable of socially engineering you, but you have a trained eye and thus certainly won't be an easy target. It could start off with simple things which appear meaningless to you, but eventually each part joins together like a puzzle and further reveals your true identity.

Someone you know could also somehow discover your online identities and expose pieces of the puzzle, or someone you appear to get on well with may know more and thus they could be socially engineered.

Using cyber-security techniques for security such as a VPN/Proxy, switching online identities regularly, using fake e-mail addresses and what-not... It's only just the tip of the ice-berg. Social engineering when successful will make all of it meaningless for that specific scenario.

There's nothing that can be done to eliminate it entirely, it's just how our brains work. We can only make ourselves a stronger target but the vulnerability will always exist because we cannot simply change the way our brains work, we all have a weakness one way or another beneath the surface in which we may not even know it.

Oh no, you have got me as
paranoid.gif
as hell now. I ain't talking to anyone anymore ............... i'm too scared :eek:
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Just imagine: you leave a comment on an Instagram post. The owner of the page doesn’t like your opinion and decides to teach you a lesson by doxing you – publicly revealing your real identity, email address, telephone number, the company you work for and other details he or she can find on the Internet.
They do not have to do it, I do it myself. I use the same username linked to my real name everywhere. The point of social network is to meet new people and hiding behind a fake profile is hardly a way to do it. As for my comments, whatever I say online I say anyone face to face. I laugh at people trying to intimidate me, I use it against them. Like when they say, that I am moron and that love ponies. I reply: Sure I know, that I dumb and I by the way, I actually sleep with plush ponies. :)
 

DavidLMO

Level 4
Verified
Dec 25, 2017
158
@ForgottenSeer 58943 and @Opcode in particular - Your posts brought back many memories. Back in the olde days (pre WWW and in the early days of the WWW) I was heavily involved in Abuse matters - both as an Abuse Manager and involvement with the NANA heirarchy in Usenet. And later when the "Net" really took off and spam became a major problem, I was also heavily involved in Spam fighting.

Here is a tidbit of info you can use to Social Engineer me. I was one of the founders of the Lumber Cartel. From that you should be able to identify my "Abuse personna". Hint - When trying to use these tools don't forget the Internet Wayback machine. Quite useful.
 
F

ForgottenSeer 58943

For me I try to be hidden by hiding my face from CCTV camera's and posting my original pictures in social networking because technology is changes now your face is key. Through camera and photo's easily detect your face and easily identify you.I have fear from facebook they have right now huge database of information including fotos of peoples.

Any facial photos I put on Facebook are pixelated via tools, such this:
Censor photo (blur, pixelate) online

Also the EXIF is scrubbed on shares/updates. On mobile devices scrubbed by ScrambledExif from F-Droid, if on PC done with EXIF Purge.
 

show-Zi

Level 36
Verified
Top Poster
Well-known
Jan 28, 2018
2,463
What if someone managed to obtain a real e-mail from a hack dump leaked online which is matched to an online handle of yours? Now it's potential spear phishing with spoof email sender. Another attack vector. This alone could lead to numerous online profiles, social networking, maybe even expose your real first and/or last name or an entirely new online handle. Not to mention that it might be an old account and you may not be aware of the breach... So now what if the credentials are still valid from the old dump online and the attacker now signs in as you... More information becomes unveiled.

This is actually what government agencies/police do sometimes, they surveillance and build a huge profile of information regarding the target, and use this to narrow down potential candidates/learn more about what they are dealing with. Sometimes they could potentially literally spend years on one case if it's extremely high-target/value.

There's endless possibilities here.

Messages you want to deliver to people enjoying the web like neighboring groups

Oh no, you have got me as
paranoid.gif
as hell now. I ain't talking to anyone anymore ............... i'm too scared :eek:
"There are as many bad people as good people, so please be a little careful going out."
If you are silent with extreme fear, you will not experience joy. There is no problem as long as you pay attention.:)
 
F

ForgottenSeer 58943

Hobbies, taste of music and films, games you play, various online handles, potentially even genuine location data from social networks or friends/friends of friends information, shared photos which include yourself (potentially from family referenced on yours or friends/friends of friends online network profiles), malware infection using a VPN kill-switch to expose your true IP, etc, etc. What if someone managed to obtain a real e-mail from a hack dump leaked online which is matched to an online handle of yours?

Agreed, there are MANY leaks of data unless one is diligent. This is why I do not answer surveys, subscribe to lists, coupon clubs and shopper club nonsense. If you are going to assert your privacy then you need to do it everywhere not just in some places.

Some additional techniques I use; Unique email usernames w/privacy based email services. Changing email addresses every 24-36 months and closing previous accounts. EXIF purging. Pixelatation of photos. Etc.

Once you 'get in the habit' of all of it, it's easy and fast and becomes second nature. I've trained my children to do the same thing and they've learned it as a life skill and have a near zero profile on the internet as a result of starting these habits early on in their life - it's a habit for them now. My daughter needed another Gmail account for something and I actually caught her using a Keygen to make the username because she couldn't think up a fake one.:unsure:

Given all of that, there are still methods of discovery out there but they quickly exceed the finances and capabilities of 'normal' actors attempting to dox you. That's the point here.. Not necessarily to avoid state actors, but to avoid the basic loser doxers up to the persistent, annoying doxers that have higher capabilities. State Actors it's a whole different game, they can even use Stylography to pin your identity if they want. Now there ARE countermeasures for that should anyone be so inclined including stylography masking programs and such, but that's a whole different topic.
 
D

Deleted member 65228

Messages you want to deliver to people enjoying the web like neighboring groups
Or the verification for your PayPal wallet password reset which holds 20 grand...?

The world isn't so nice and kind, there are some real b****r*s out there who want to do harm, so you must protect yourself.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top