2021/06/08 An Introduction To Doxing Methodology

An Introduction To Doxing Methodology


Let us look at arguably the most well documented and most effective means of revenge and Social Engineering, Doxing.

What Is Doxing?

Doxing is a technique of tracing someone or gathering information about an individual using sources online and offline. The term is coined from several overlapping terms such as Docs, DocX, Info Dump, and Dropping Docs. Mashed together creates the term known today as Doxx or Doxing. Though more vocally common in the current decade with the rise of Hacktivist ideologies and the political unrest we see today, placed in the echo-champers of the Internet and Social Media, this is an old-school revenge tactic that emerged from hacker culture in 1990s. Used to pit the victims own habits and anonymity against themselves. Though other uses can be an engine for transparency for an injustice that can lead to legal repercussions. Consequently, doxing often comes with a negative connotation, because it can be used for revenge and is seen, for obvious reasons, as an invasion of privacy. Though this information is providing information to execute, it can be used also by readers to protect themselves from being victims. I highly recommend anyone to keep personal information secure and be aware of what data is available online and offline. I would also like to advise readers that peoples lives have been ruined by doxing. Both as victims and as attackers. The usage of doxing for revenge can lead to jail time or lead to a mass campaign of public shaming and embarrassment. Now since the disclaimer is all out of the way, let us move onward to find out more about doxing and potentially how to avoid it.

Techniques And Strategy

For this portion of the post I shall be using the terminology typical for a Red Team/Blue Team game. Where Red Team is the attacker and Blue Team is the defender to make this portion easier to follow.

Social Media

With the advent of social media and the greater movement of convenience over security, anyone can harvest information from the Internet about individuals. There is no particular structure or proper procedure in place for doxing, meaning someone may seek out any kind of information related to the target and relay that information haphazardly. I also hope to alleviate that in this post. To start with the basics, a basic Web search can grant results. Social media platforms like Facebook, Twitter, Instagram, and Linkedin offer a wealth of private information, because many users have perceive these as a platform of self disclosure making social media as a One-Stop-Shop for their photos, place of employment, phone number, and email address. As Red Team you want to utilize this information generously. As Blue Team, You would want to ensure your privacy by locking accounts to private or using a web-sites maximum security settings to make positive your data is not public. Be sure both Teams keep a well detailed audit of these types of sites to keep a list of current and future changes to personal details.

Branching Off

Often Red Team does not collect information in one single place but from many sources. As a Red or Blue you need to ask the following as either Red Team or as Blue Team. I will be using (X) as an insert for either personal or target nouns.

This creates a profile. With the profile you start to see a more well rounded individual and this becomes a more well developed weapon.

Now we must ask ourselves...

Take a moment to think about the ways all of these overlap in our profile. Feel free to also take a note of individual nuances of each site as of they were their own unique person. How does Blue Team act in each particular instance. This further fleshes out the profile and allows for easier following for later Red Team activities and also allow Blue Team to see how unique each profile is and what information can be highly compromising if their activities were to bleed into other sites.

The Little Details

Either Team can also take note in section of the following...

These will overlap in ways making them redundant which is their purpose. There also are some these categories you do not have to take into account. However, given that many people are present online in different ventures, it can be useful to think about how you are represented in each.

People Tracking Sites

Numerous sites exists for tracking information of people and publish personal details without their consent via a purchase from public file or other means. Ironically Vices Motherboard has an Opt Out list which can be a nice list for Red Team or Blue Team found here

Using these can have a cost but for the information of a valued target can be worth it. From the Blue Team perspective, a little work will get you removed. But also can be a huge pain; Finding all of these sites and working their policies can be the biggest tedious. Hopefully too if done correctly Red Team will not have a starting point.

Hacks And More

Though this post has mainly focused on the legal means Red/Blue Teams with time and energy can use to find information, but there are other ways of obtaining data. Any account could be hacked with those whom have the skills. Though its not likely someone will crack an email password, data breaches are fairly common on large platforms. Even if someone is not a hacker, they can buy or find hacked data.

Proper Formatting

When doxing or self doxing I would highly recommend using the following formats to make a profile.

These are my two recommended formats to make the whole process concise and easy to read.

Doxing is the method of searching for and publishing private or identifying information about an individual on the Internet. This guide section of the guide will start with how to find a basic piece of information, how to use it to find more information and what to do from there. I will be publishing a Blue Team Defense Guide shortly after this goes public to allow a diverse range of information.

Anonymity

You first have to ensure that you are not using any personal information. If you are social engineering (Which I will cover later) you will want to take measure to keep your information safe such as, fake email accounts and fake social media accounts. You must always take into consideration what information you are leaving behind.

Resources

A Blue Team Defense Guide

So let us jump right in to defending yourself from doxing. The most effective defense is a good sense of self. Though you may not think that you are ever likely ever be doxed; start by controlling the amount of your personal information that ends up online. Keeping a personal audit of available information on you via the methods I go over in the Red Team Guide. This means that you should always be aware of the private information you are sharing.

Anti-Trust

To also be put simply, stop trusting online services with your data. Google, Facebook, and other such services have your data and out of convenience you give it. Though many of us know that we should not trust these platforms, we do. This is an easy way for you to get more data and in turn they can also get more data. But this opens up exploits into your personal being because others can also retrieve such data by also using those same services. Data cannot be forgotten.

Patterns

Due to human nature patterns are used by us to create stability and control in our lives. Perhaps a schedule or set of foods you like. This is also common online via user-names and passwords. We often use similar if not the exact same series of user-names. This allows an attacker to run those user-names through a search engine such as Google and compile all the results. This creates a fairly discernible pattern of websites that are shared from a target. From there it is just connecting dots and going further down the rabbit hole. Change up all user-names, this makes it difficult to correlate. Same can also be said about passwords. But I assume most are aware of their own password patterns. Change your passwords often using the methods previously listed in the Passwords section. Usually I recommend an encrypted hard-drive to store sensitive information but writing the password down and storing it in a safe is best.

And now to the more technical...

Your Network

Prevent using public hot-spots or open WiFi without proper security precautions. You can be a victim of Network Sniffing. Though Public hot-spots this type of attack is more common, do not feel safe using your own network as this attack flow can also be used at home as well.A network based attack flow is as follows...

Your System

I have made mention of using a GNU/Linux system before and I will make it a point now. Get away from Windows and MacOS. These system take a large portion of active users and thus are valuable targets for hackers, why use a sniper in a crowd when you can use a shotgun. Using GNU/Linux can create a smaller attack vector and make it far more difficult to become victim to malware and spyware attacks. Due to the GNU/Linux user-base, everyone can see and edit code. This creates a highly dense web of watchdogs keeping vulnerabilities out of yours and everyone's system https://www.gnu.org/distros/free-distros.html

Your Browsing Habits

We talked about exploitation of your network and your system so let us now move onto your personal browsing ethic. Not to jump to conclusions but I can assure you, you are browsing incorrectly. Now this is not a personal attack on your character as there are many, many people that do the same.

Use the Tor Browser

Tor is the currently the leading anti-surveillance browser at the moment because it is built on an entire infrastructure of relay servers. It bounces your connection through a number of nodes, and should obscure the public IP address you are connecting to the internet with. This can be installed on a Windows, Mac, though once again I would use it on your GNU/Linux system. For added security and leaving your system clean, it can be used via USB stick. To add though I would recommend reading the manual for tor. The Tor Project offers a list of do and don't for using it securely, including being very careful about downloading and opening documents which require applications https://www.torproject.org/

We Will Do It Live

To take the last 2 mentioned points and being them together in beautiful harmony, use a incognito Live USB System such as Tails or more preferable, Heads. I did a full breakdown of Heads in an earlier post. This is a Live system that pipes all network through Tor and keep all sensitive data on the USB Drive it is running on. Thus after your system shuts down, it takes all data along with it, without a trace.

Not So Smart-Phone

A Stalin dream, a device in your pocket that is not only connected at all times but also comes with a camera. Your smart device is a huge security leak waiting to be tapped. Having your name connected to something like a phone number and having a device that screams at all connections HERE I AM can obviously create issues. Though I offer a simple solution. Use a Basic Prepaid phone or none at all. Smart devices have become many main source of communication and connectivity though these devices run into the same issues as the network attacks listed above as well as an introduction to a few others. Blue-Tooth attacks and Social-Engineering exploits using your personal cell number to name a couple. So best option to remain anonymous and secure is to dumb down or ditch it all together.

Additional OSINT Tools

This is a quick reference list of common OSINT tools.

Master Opt-Out List 2.0

The MOO (Master Opt-Out) is a curated list of people search engines and databases that you can opt-out of through using the offered solutions that the websites provided. Due to the massive amount of websites, we urge people to start slow and use only those in the internet opt-out chapter. After a month or so, dig through the other chapters to see if your information exists on those, too. The reason for this is due to how many websites are inter-connected and will purge your information once other sites have had it removed.

Afterword

The online opt-outs, once completed, take anywhere from a month to a year to be fully removed from Google and other search engines. Besides opting out of the database for each site, you will notice other sites will have you removed from their databases, too. Please be aware, though, this does not hinder the government in any significant way or hurts your chances of getting a job. This only prevents civilians from doxing you or attacking you offline. Another thing to note is that legitimate businesses go through government sponsored and/or maintained databases to do background checks.

What to do if Doxed

Preface

Many of us fear having the light of curiosity shown on us, be it through being doxed or someone becoming a bit too interested in us and what we are about. Sadly, many people do not take the needed precautions of lessening their digital footprint and removing their information from the internet. A lot of people just let it sit and fester until someone comes along and picks at the infected blister that was a forgotten account or teenage edginess, however not all is lost. You have already started your adventure in privacy.

Stay Calm And Do Not React

The majority of people who have been doxed had had their information found through simple search engine queries or because they, themselves, provided this information without knowing that they have done so. This is because we have been conditioned by social media and sites like Reddit to crave the instant gratification of arbitrary numbers that come with exposing ourselves online; baring everything we can to the perverse, voyeuristic masses that give us a +1 click on our profiles. Because of this, you have most likely have fell for the meme that the current state of doxing is something akin to CSI's take on hacking. Do not fret, though, most people who threaten to dox someone have not found the information or are not willing to use it, ergo relax and do not panic of a threat. Yes, take it seriously, however not all states will grant you the legal power to sue or track someone down in a digital witch-hunt. What you can do, though, is quite simple: Remove your information. Before you remove your information, you must first monitor yourself and the threat at hand. Do not react, for if you do then they get a bigger rise out of you and a reason to actually dox you, or if they already have done so... provoke you more and continue this assault. Simply remember: Stay calm, breathe and do not react. You do not need to defend yourself or get into a digital slap fight on the internet. Just ignore it and learn that by not reacting to any threats or accusations, you deny them one of the things they want the most: You acting out. Now move onto the next chapter.

Realize It Is Not Always You

One thing most people need to realize is that it is not always them but what they are perceived as representing. Due to the political climate being so explosive, people on both sides of the spectrum are targeting each other simply because they can. This means that a Republican, Democrat, Socialist, Communist, Capitalist or Fascist or whatever will be picked out from a series of people on social media and made into an example of what happens to someone’s political or ideology’s opponent. This means you, at any given moment, could be targeted simply because you fit a preconceived image or notion of what someone believes their enemies to look like. It is a small consolation to realize you were not chosen, possibly, because of what you said or did, however it still means someone was upset enough to target you. Take precautions and start lessening what you say or do online when it comes to specific topics. Choose your battles carefully and wisely. Not every comment or person needs a response.

Identify The Source

One of the things you need to do before looking toward cleaning your digital footprint is to identify the source of your dox or the leak of your information. If you have been doxed or received a threat of being doxed, then you need to ensure your information has not been posted by someone within your community or on another website. If someone has posted your information, then you must identify what information they have found.

If it is public information, there is not much you can do about it. This information includes your home address, phone number, place of work, place of education, birth date, full name and even your car's license plate, however while public it is personal information and some websites might actually remove it upon simple request. You must first ensure the website is not encouraging this or a part of the act taking place. If they are not, and it is a site like Reddit, then go ahead and ask the administrators and/or website owner to remove your information. If it is an image board or a forum, then do not ask anyone and ignore it further. However do identify what information they have found, as you can work on lessening the damage by removing information that they have yet to found.

If the information is private, like passwords, credit card numbers, social security numbers or anything similar, then yes, you might actually have a case for a potential lawsuit. But Remember: It must not be information that was made public by your own actions or a data breach or leak. If this information can be found VIA Google or Bing, then a lawsuit can not take place against the people posting your information but one could be placed against the owners of the database that got breached and/or leaked. Personal information, while both public and private, does not matter much because either way it matches one of the above descriptions. So do not fret so much over whether or not it is personal information but whether if it is private or public. Once you have gotten that mindset in place, you will see how doxing, while quite alarming, is not really up for any legal actions most of the time due to the information being found readily on your own accounts or a search engine.

Act Accordingly

Once you have identified the source, and learned of what information has been posted, you can act accordingly to the level of threat that is being presented to you. While everything that is classed as a potential threat may seem dangerous, not everything must be met with a call to arms or requests of a personal army or attorney at law. If it is just an account or e-mail address, then continue ignoring it and working toward removing your data and lessening the information that is out there on you. If they are obsessed with an old account that you can not or have forgotten to remove, then they are distracted and have not worked toward finding more information. This means you can work toward lessening the potential harm and continue toward a safer experience online.

If they have found your home address, regardless of how they did it, then you must look toward what you can do to lessen the potential harm that can stem from this, like, for instance, replacing your mailbox with one that can lock to prevent theft of mail. You can ensure your windows are locked and covered by blackout curtains to prevent spying, and you can even remove your phone’s custom voicemail message to the default robotic one. Remember, just because they have your address or phone number does not mean they will do anything. Most people are satisfied with going “I doxed you! You live at 123 Road Avenue, New York, New York!” and hoping someone else will say or do something. You have to fear at most, usually, getting the sophomoric junkmail spam that consists of boxes, pizzas and possibly even prostitutes. While nothing more than a prank, it does cause panic for your younger targets/victims, like the teenagers that Tumblr has inexplicably targeted.

If you are under the age of 18 or live with someone else, you must let them know what’s happening if it has progressed as far as your phone number and/or address being posted online. The reason for this is so the other residents within the home know what is coming off and for you, the target/victim to tell the home owner and/or adults living with you what is happening. If it advances enough to a possible lawsuit and court date, then they will know about it anyways. It is better to come clean now and deal with the brunt of the lecturing now than later as, like it or not, parents and guardians do know how to handle things better than most minors.

Ultimately, the worst they can do is tattle to your parents or contact your place of work, or go as far as to contact your landlord. This has a 50/50 chance of working against you or not, ergo another reason for you to lessen your digital footprint online. Less you do online, the less they have that they can use against you. This means less accounts, little to no social media use and learning to not tell the internet everything you've seen, said or done on any given day.

Steps To Take

Afterward

This is the end result of social networks and the forced "inter-connectivity" meme of smart gadgets. The more we move forward to web 3.0, the smaller our pool of privacy shall become. While we can scream and whine about lawsuits and calling our uncle in the FBI, none of it matters because you have put yourself in harm's way in the first place by not remembering the simple golden rule: Do not post your real world information on the internet. Do not post your name or address online. Do not talk to strangers and do not post images of yourself, where you live, or go to school on the internet.