Let us look at arguably the most well documented and most effective means of revenge and Social Engineering, Doxing.
Doxing is a technique of tracing someone or gathering information about an individual using sources online and offline. The term is coined from several overlapping terms such as Docs, DocX, Info Dump, and Dropping Docs. Mashed together creates the term known today as Doxx or Doxing. Though more vocally common in the current decade with the rise of Hacktivist ideologies and the political unrest we see today, placed in the echo-champers of the Internet and Social Media, this is an old-school revenge tactic that emerged from hacker culture in 1990s. Used to pit the victims own habits and anonymity against themselves. Though other uses can be an engine for transparency for an injustice that can lead to legal repercussions. Consequently, doxing often comes with a negative connotation, because it can be used for revenge and is seen, for obvious reasons, as an invasion of privacy. Though this information is providing information to execute, it can be used also by readers to protect themselves from being victims. I highly recommend anyone to keep personal information secure and be aware of what data is available online and offline. I would also like to advise readers that peoples lives have been ruined by doxing. Both as victims and as attackers. The usage of doxing for revenge can lead to jail time or lead to a mass campaign of public shaming and embarrassment. Now since the disclaimer is all out of the way, let us move onward to find out more about doxing and potentially how to avoid it.
For this portion of the post I shall be using the terminology typical for a Red Team/Blue Team game. Where Red Team is the attacker and Blue Team is the defender to make this portion easier to follow.
With the advent of social media and the greater movement of convenience over security, anyone can harvest information from the Internet about individuals. There is no particular structure or proper procedure in place for doxing, meaning someone may seek out any kind of information related to the target and relay that information haphazardly. I also hope to alleviate that in this post. To start with the basics, a basic Web search can grant results. Social media platforms like Facebook, Twitter, Instagram, and Linkedin offer a wealth of private information, because many users have perceive these as a platform of self disclosure making social media as a One-Stop-Shop for their photos, place of employment, phone number, and email address. As Red Team you want to utilize this information generously. As Blue Team, You would want to ensure your privacy by locking accounts to private or using a web-sites maximum security settings to make positive your data is not public. Be sure both Teams keep a well detailed audit of these types of sites to keep a list of current and future changes to personal details.
Often Red Team does not collect information in one single place but from many sources. As a Red or Blue you need to ask the following as either Red Team or as Blue Team. I will be using (X) as an insert for either personal or target nouns.
This creates a profile. With the profile you start to see a more well rounded individual and this becomes a more well developed weapon.
Now we must ask ourselves...
Take a moment to think about the ways all of these overlap in our profile. Feel free to also take a note of individual nuances of each site as of they were their own unique person. How does Blue Team act in each particular instance. This further fleshes out the profile and allows for easier following for later Red Team activities and also allow Blue Team to see how unique each profile is and what information can be highly compromising if their activities were to bleed into other sites.
Either Team can also take note in section of the following...
Relatives - How open is the relationship between (X) and blood/legal relatives? What could a stranger, having information on just one person in this network, discover about the others in the network, etc?
Politics - Does (X) discuss or post about political beliefs online? If so, on which platforms?
Friends and Community - If (X) has social media, make note of friends, followers. In what ways does (X) online communities reflect (X) offline communities?
Hobbies - What hobbies does (X) have? Does (X) have friends and community through them? Are (X) a part of any online communities dedicated to those hobbies?
Legal - Who is (X) on paper? What names, phone numbers, and addresses is (X) tied to? Do any of (X) accounts have this information? ( I will make a list of several in reference.)
Career - Does (X) job require an online activity, a website, or a social media account for business or otherwise? Would there be a problem if those sites overlapped with (X). Take note of the following as as attack vector.
These will overlap in ways making them redundant which is their purpose. There also are some these categories you do not have to take into account. However, given that many people are present online in different ventures, it can be useful to think about how you are represented in each.
Numerous sites exists for tracking information of people and publish personal details without their consent via a purchase from public file or other means. Ironically Vices Motherboard has an Opt Out list which can be a nice list for Red Team or Blue Team found here
And further reading can be done
Using these can have a cost but for the information of a valued target can be worth it. From the Blue Team perspective, a little work will get you removed. But also can be a huge pain; Finding all of these sites and working their policies can be the biggest tedious. Hopefully too if done correctly Red Team will not have a starting point.
Though this post has mainly focused on the legal means Red/Blue Teams with time and energy can use to find information, but there are other ways of obtaining data. Any account could be hacked with those whom have the skills. Though its not likely someone will crack an email password, data breaches are fairly common on large platforms. Even if someone is not a hacker, they can buy or find hacked data.
Have I Been Pwned? can be very helpful for Blue Team. Red Team however only needs to look at a pirate-bay mirror or Google doc during a big leak to easily gain personal information. I would also like to make reference to Drizzy and his Doxing Tool, which is a sniffer that compiles information of a Target in an organized fashion and is completely automated. Drizzy's contact link and download link is listed below.
When doxing or self doxing I would highly recommend using the following formats to make a profile.
These are my two recommended formats to make the whole process concise and easy to read.
Doxing is the method of searching for and publishing private or identifying information about an individual on the Internet. This guide section of the guide will start with how to find a basic piece of information, how to use it to find more information and what to do from there. I will be publishing a Blue Team Defense Guide shortly after this goes public to allow a diverse range of information.
You first have to ensure that you are not using any personal information. If you are social engineering (Which I will cover later) you will want to take measure to keep your information safe such as, fake email accounts and fake social media accounts. You must always take into consideration what information you are leaving behind.
10 Minute Mail Is a free email you get for 10 minutes. You can also extended the time if you need to.
Yo Mail An alternative to 10minutemail.
Text EM For texting, however, you cannot receive texts back. I would also recommend using a burner phone.
Fake Name Generator Creates everything from a fake name, to a fake social security number, to a fake blood type. Also great for characters if you are a writer.
Discard Credit Card Generator Allows you to see if a credit card number is legitimate.
Any form of Social Media. Read through all of their posts. Look at their personal information. Be sure to look at their friends, this will help because if the person is cautious, their friends walls/pages might be of more value.
Facebook: You can look up their email in Facebook search and find the persons Facebook Page. May contain information such as Phone Numbers, Family Members, License plate Numbers.
Twitter: You can find other sites they are linked to. You can find stuff they like and record it down for future notice.
Google+: Every YouTube account is linked to Google+ and unless the user changes the setting every YouTube comment is posted on their Google+ page.
Instagram: If you have their pictures you can run their pictures through a reverse image search and might be able to find their other Social Media.
Having someones IP address is one of the most useful information you can have. You are going to need information on them, an email address is the most helpful.
Metadata from images, can be useful for location and camera/cellphone type.
If you managed to get their MAC, then this will just tell you the brand of NIC or laptop.
So let us jump right in to defending yourself from doxing. The most effective defense is a good sense of self. Though you may not think that you are ever likely ever be doxed; start by controlling the amount of your personal information that ends up online. Keeping a personal audit of available information on you via the methods I go over in the Red Team Guide. This means that you should always be aware of the private information you are sharing.
To also be put simply, stop trusting online services with your data. Google, Facebook, and other such services have your data and out of convenience you give it. Though many of us know that we should not trust these platforms, we do. This is an easy way for you to get more data and in turn they can also get more data. But this opens up exploits into your personal being because others can also retrieve such data by also using those same services. Data cannot be forgotten.
Due to human nature patterns are used by us to create stability and control in our lives. Perhaps a schedule or set of foods you like. This is also common online via user-names and passwords. We often use similar if not the exact same series of user-names. This allows an attacker to run those user-names through a search engine such as Google and compile all the results. This creates a fairly discernible pattern of websites that are shared from a target. From there it is just connecting dots and going further down the rabbit hole. Change up all user-names, this makes it difficult to correlate. Same can also be said about passwords. But I assume most are aware of their own password patterns. Change your passwords often using the methods previously listed in the Passwords section. Usually I recommend an encrypted hard-drive to store sensitive information but writing the password down and storing it in a safe is best.
And now to the more technical...
Prevent using public hot-spots or open WiFi without proper security precautions. You can be a victim of Network Sniffing. Though Public hot-spots this type of attack is more common, do not feel safe using your own network as this attack flow can also be used at home as well.A network based attack flow is as follows...
War-Driving: This involves a hacker driving around various locations, looking for vulnerable WiFi networks to attack at a later time.
Password Attack: These can be used by hackers to bypass a public WiFi password either by mass testing a huge amount of passwords or by using software and tools.
WiFi Sniffing: This involves intercepting network traffic and data using tools or software, This attacks the data sent between a router and a device. It is very easy to set up a WiFi sniffer since all you need is a laptop and some widely available software, Leading you to fall victim to an attack.
To secure yourself from such an attack you can do as follows...
I have made mention of using a GNU/Linux system before and I will make it a point now. Get away from Windows and MacOS. These system take a large portion of active users and thus are valuable targets for hackers, why use a sniper in a crowd when you can use a shotgun. Using GNU/Linux can create a smaller attack vector and make it far more difficult to become victim to malware and spyware attacks. Due to the GNU/Linux user-base, everyone can see and edit code. This creates a highly dense web of watchdogs keeping vulnerabilities out of yours and everyone's system https://www.gnu.org/distros/free-distros.html
We talked about exploitation of your network and your system so let us now move onto your personal browsing ethic. Not to jump to conclusions but I can assure you, you are browsing incorrectly. Now this is not a personal attack on your character as there are many, many people that do the same.
Tor is the currently the leading anti-surveillance browser at the moment because it is built on an entire infrastructure of relay servers. It bounces your connection through a number of nodes, and should obscure the public IP address you are connecting to the internet with. This can be installed on a Windows, Mac, though once again I would use it on your GNU/Linux system. For added security and leaving your system clean, it can be used via USB stick. To add though I would recommend reading the manual for tor. The Tor Project offers a list of do and don't for using it securely, including being very careful about downloading and opening documents which require applications https://www.torproject.org/
To take the last 2 mentioned points and being them together in beautiful harmony, use a incognito Live USB System such as Tails or more preferable, Heads. I did a full breakdown of Heads in an earlier post. This is a Live system that pipes all network through Tor and keep all sensitive data on the USB Drive it is running on. Thus after your system shuts down, it takes all data along with it, without a trace.
A Stalin dream, a device in your pocket that is not only connected at all times but also comes with a camera. Your smart device is a huge security leak waiting to be tapped. Having your name connected to something like a phone number and having a device that screams at all connections HERE I AM can obviously create issues. Though I offer a simple solution. Use a Basic Prepaid phone or none at all. Smart devices have become many main source of communication and connectivity though these devices run into the same issues as the network attacks listed above as well as an introduction to a few others. Blue-Tooth attacks and Social-Engineering exploits using your personal cell number to name a couple. So best option to remain anonymous and secure is to dumb down or ditch it all together.
This is a quick reference list of common OSINT tools.
Maltego is a fantastic mapping tool and easy to pick up. Maltego is a widely used tool for open source intelligence and graphical link analyses.
Shodan is a large and in depth Internet of Things discovery tool. Discover which devices are connected to the Internet where they are located and who is using them.
Google Dorks Learning how to use this collections of shortcuts and keyword tool can make you a master of Google-Fu.
theHarvester is a very simple, yet effective tool designed to be used in the early stages of a penetration test, it gathers emails, names, subdomains, IPs, and URLs using multiple public data aggregates.
Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target.
Recon-ng is a full-featured Web Reconnaissance framework. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion.
Tiny Eye Basic reverse image search, great for finding alternate profiles or accounts.
Search Code searches code from public projects using Github, Bitbucket, Google Code, Codeplex, Sourceforge, Fedora Project, GitLab and more.
OSINT Framework is focused on gathering information from free tools or resources.
FOCA is a tool used mainly to find meta-data and hidden information in the documents its scans. These documents may be on web pages, and can be downloaded and analyzed with FOCA.
EXIF Data is short for Exchangeable Image File, a format that is a standard for storing interchange information in digital photography image files using JPEG compression. Some images may even store GPS information so you can easily see where the images were taken!
Archive.org A running archive of over 390 billion sites.
Sec.gov Edgar All companies, foreign and domestic, are required to file registration statements, periodic reports, and other forms electronically through EDGAR. Anyone can access and download this information for free.
You Get Signal A collection of network tools ranging from Geo-location to ID open ports on a network.
Have I Been Pwned? Check if you have an account that has been compromised in a data breach, this can be used in conjunction with password attacks and social engineering attacks.
Geo Creepy A Geo-location OSINT Tool. Offers Geo-location information gathering through social networking platforms.
OSINT Links Provides a list of Keyword research tools, Search Engines, Meta Engines, FTP, Image Search, Video Search, IOT, Exploits, and other such directories or search tools.
The MOO (Master Opt-Out) is a curated list of people search engines and databases that you can opt-out of through using the offered solutions that the websites provided. Due to the massive amount of websites, we urge people to start slow and use only those in the internet opt-out chapter. After a month or so, dig through the other chapters to see if your information exists on those, too. The reason for this is due to how many websites are inter-connected and will purge your information once other sites have had it removed.
These are opt-outs that can be done online through forms or simple links without a pay wall.
Opt-outs that require you to send an e-mail to a specific e-mail address or two, which usually requires you to wait 48 hours for any reply if any at all.
A series of opt-outs that require you to send a fax to a specific number or department before you can have your information removed.
Opt-outs that must be done through the use of traditional mail in order to opt-out of several databases due to several “legal” issues.
Opt-outs that must be done over the phone in order to be removed from several databases.
This list contains opt-outs that have no direct place but have proven useful.
Remove your property's street view on Bing Maps:
Remove your property's street view on Google Maps:
Remove your property's street view on https://www.Yahoo.com/maps
The online opt-outs, once completed, take anywhere from a month to a year to be fully removed from Google and other search engines. Besides opting out of the database for each site, you will notice other sites will have you removed from their databases, too. Please be aware, though, this does not hinder the government in any significant way or hurts your chances of getting a job. This only prevents civilians from doxing you or attacking you offline. Another thing to note is that legitimate businesses go through government sponsored and/or maintained databases to do background checks.
Many of us fear having the light of curiosity shown on us, be it through being doxed or someone becoming a bit too interested in us and what we are about. Sadly, many people do not take the needed precautions of lessening their digital footprint and removing their information from the internet. A lot of people just let it sit and fester until someone comes along and picks at the infected blister that was a forgotten account or teenage edginess, however not all is lost. You have already started your adventure in privacy.
The majority of people who have been doxed had had their information found through simple search engine queries or because they, themselves, provided this information without knowing that they have done so. This is because we have been conditioned by social media and sites like Reddit to crave the instant gratification of arbitrary numbers that come with exposing ourselves online; baring everything we can to the perverse, voyeuristic masses that give us a +1 click on our profiles. Because of this, you have most likely have fell for the meme that the current state of doxing is something akin to CSI's take on hacking. Do not fret, though, most people who threaten to dox someone have not found the information or are not willing to use it, ergo relax and do not panic of a threat. Yes, take it seriously, however not all states will grant you the legal power to sue or track someone down in a digital witch-hunt. What you can do, though, is quite simple: Remove your information. Before you remove your information, you must first monitor yourself and the threat at hand. Do not react, for if you do then they get a bigger rise out of you and a reason to actually dox you, or if they already have done so... provoke you more and continue this assault. Simply remember: Stay calm, breathe and do not react. You do not need to defend yourself or get into a digital slap fight on the internet. Just ignore it and learn that by not reacting to any threats or accusations, you deny them one of the things they want the most: You acting out. Now move onto the next chapter.
One thing most people need to realize is that it is not always them but what they are perceived as representing. Due to the political climate being so explosive, people on both sides of the spectrum are targeting each other simply because they can. This means that a Republican, Democrat, Socialist, Communist, Capitalist or Fascist or whatever will be picked out from a series of people on social media and made into an example of what happens to someone’s political or ideology’s opponent. This means you, at any given moment, could be targeted simply because you fit a preconceived image or notion of what someone believes their enemies to look like. It is a small consolation to realize you were not chosen, possibly, because of what you said or did, however it still means someone was upset enough to target you. Take precautions and start lessening what you say or do online when it comes to specific topics. Choose your battles carefully and wisely. Not every comment or person needs a response.
One of the things you need to do before looking toward cleaning your digital footprint is to identify the source of your dox or the leak of your information. If you have been doxed or received a threat of being doxed, then you need to ensure your information has not been posted by someone within your community or on another website. If someone has posted your information, then you must identify what information they have found.
If it is public information, there is not much you can do about it. This information includes your home address, phone number, place of work, place of education, birth date, full name and even your car's license plate, however while public it is personal information and some websites might actually remove it upon simple request. You must first ensure the website is not encouraging this or a part of the act taking place. If they are not, and it is a site like Reddit, then go ahead and ask the administrators and/or website owner to remove your information. If it is an image board or a forum, then do not ask anyone and ignore it further. However do identify what information they have found, as you can work on lessening the damage by removing information that they have yet to found.
If the information is private, like passwords, credit card numbers, social security numbers or anything similar, then yes, you might actually have a case for a potential lawsuit. But Remember: It must not be information that was made public by your own actions or a data breach or leak. If this information can be found VIA Google or Bing, then a lawsuit can not take place against the people posting your information but one could be placed against the owners of the database that got breached and/or leaked. Personal information, while both public and private, does not matter much because either way it matches one of the above descriptions. So do not fret so much over whether or not it is personal information but whether if it is private or public. Once you have gotten that mindset in place, you will see how doxing, while quite alarming, is not really up for any legal actions most of the time due to the information being found readily on your own accounts or a search engine.
Once you have identified the source, and learned of what information has been posted, you can act accordingly to the level of threat that is being presented to you. While everything that is classed as a potential threat may seem dangerous, not everything must be met with a call to arms or requests of a personal army or attorney at law. If it is just an account or e-mail address, then continue ignoring it and working toward removing your data and lessening the information that is out there on you. If they are obsessed with an old account that you can not or have forgotten to remove, then they are distracted and have not worked toward finding more information. This means you can work toward lessening the potential harm and continue toward a safer experience online.
If they have found your home address, regardless of how they did it, then you must look toward what you can do to lessen the potential harm that can stem from this, like, for instance, replacing your mailbox with one that can lock to prevent theft of mail. You can ensure your windows are locked and covered by blackout curtains to prevent spying, and you can even remove your phone’s custom voicemail message to the default robotic one. Remember, just because they have your address or phone number does not mean they will do anything. Most people are satisfied with going “I doxed you! You live at 123 Road Avenue, New York, New York!” and hoping someone else will say or do something. You have to fear at most, usually, getting the sophomoric junkmail spam that consists of boxes, pizzas and possibly even prostitutes. While nothing more than a prank, it does cause panic for your younger targets/victims, like the teenagers that Tumblr has inexplicably targeted.
If you are under the age of 18 or live with someone else, you must let them know what’s happening if it has progressed as far as your phone number and/or address being posted online. The reason for this is so the other residents within the home know what is coming off and for you, the target/victim to tell the home owner and/or adults living with you what is happening. If it advances enough to a possible lawsuit and court date, then they will know about it anyways. It is better to come clean now and deal with the brunt of the lecturing now than later as, like it or not, parents and guardians do know how to handle things better than most minors.
Ultimately, the worst they can do is tattle to your parents or contact your place of work, or go as far as to contact your landlord. This has a 50/50 chance of working against you or not, ergo another reason for you to lessen your digital footprint online. Less you do online, the less they have that they can use against you. This means less accounts, little to no social media use and learning to not tell the internet everything you've seen, said or done on any given day.
1: Learn to not react, to anything said or done to your or your accounts, and once this is over do not mention it, ever. If you let people know it is bothering you, they will continue their assault on you and your privacy. They will push forward, looking for even greater ways to provoke you into doing something potentially harmful to yourself and others. Even if the information is incorrect, do not react. Just ignore them and take things slowly.
2: To help lessen the trust in any of your information being posted, refer to the Master Opt-Out List section, and begin there.
3: If things turn violent, please follow the below...
Cut contact with anyone you suspect.
Do not delete any voice mail left on your phone, this can be used in potential legal actions.
Do not delete asks/PMs/fan mail/chat requests that contain threats or anything of a similar violent nature. These can used in potential legal actions, also make copies of these by hitting CTRL+S to save a copy to your computer, and then save copies as screen captures.
Do not destroy any documents sent your home or business, this can be used in potential legal actions.
Do notify the police of any incidents that happen, like property theft or damage...etc
Do not open letters or packages you do not recognize. If you did not order or request something in the mail, do not risk it. If you suspect something, open all packages and letters over a plastic container large enough to house the item you suspect. While wearing gloves, eye protection and a face mask, ensure the item is being opened as carefully as possible. Record and save everything in case of issue.
Look into purchasing cameras for your property.
This is the end result of social networks and the forced "inter-connectivity" meme of smart gadgets. The more we move forward to web 3.0, the smaller our pool of privacy shall become. While we can scream and whine about lawsuits and calling our uncle in the FBI, none of it matters because you have put yourself in harm's way in the first place by not remembering the simple golden rule: Do not post your real world information on the internet. Do not post your name or address online. Do not talk to strangers and do not post images of yourself, where you live, or go to school on the internet.