What Is Doxing?
The word “doxing” (also spelled "doxxing") is derived from the term “dropping dox,” or “documents.” Doxing is a form of cyberbullying that uses sensitive or secret information, statements, or records for the harassment, exposure, financial harm, or other exploitation of targeted individuals.
This doxing meaning involves taking specific information about someone and then spreading it around the internet or via some other means of getting it out to the public. This practice has been fervent for many years, simply because documents contain permanent records of facts about people and things they have done and said, which can be powerful weapons against them. However, the term “doxing” first gained popularity in the 1990s when hackers began dropping docs on people who had been hiding behind fake names. In this way, hackers could expose other attackers with whom they had been in competition. Removing their anonymity left them exposed to authorities and others trying to track them down.
Doxing has taken a prominent role in modern culture wars, which involve people targeting those who support a cause or hold a belief that is in opposition to one they are trying to push forward.
How Does Doxing Work?
Doxing is based on the fact that nearly everyone has data about them floating around on the internet, protected by varying levels of security—and in some cases, barely any at all. Once this data has been found, it is weaponized and used against the target.
People often use the same or similar usernames on different accounts for a variety of websites and web applications. It is relatively easy therefore for cyber criminals, activists, or others to use the usernames you have to pinpoint accounts that belong to you. Data from each of these accounts can be taken to compile a more thorough portfolio of documents that reveal information about you.
Running a WHOIS Search on a Domain Name
If you own a domain name, you have information regarding you stored within a registry. This registry is oftentimes available to view with a simple WHOIS search. You usually have the option of hiding your information while signing up for a domain. If you opt not to, it is easy for anyone to access your name, phone number, address, business address, and email—all without any special technology.
If you either fall for a phishing scam or someone is able to infiltrate your email, they can either grab sensitive details about you or go through your account and use your emails for a doxing attack. With a phishing scam, you are prompted to click on a link to a fake website and enter sensitive information.
Stalking Social Media
If you make your social media accounts available to the public, any information you post about yourself or have in your profile can be seen by others. This may include where you work, your friends, photos, family members, things you like to do, places you have been, pets, and more.
A doxer may even be able to use this kind of information to deduce your answers to common security questions, such as “What is the name of my best man?” or “What is the name of your favorite pet?”
Sifting Through Government Records
Government websites like the Department of Motor Vehicles (DMV) and those that hold county records, business licenses, marriage licenses, and voter registration information all have data that could be used in a doxing attack.
Tracking IP Addresses
Doxers can figure out your Internet Protocol (IP) address and then use the fact that it is linked to where you are physically to execute an attack. For example, they could reach out to your internet service provider (ISP) and pretend to be you, asking them questions that provide them with more information about you.
Reverse Mobile Phone Lookup
As soon as a hacker knows your mobile phone number, they can dig to find more information about you. For example, they could use a reverse phone lookup service, such as Whitepages, to figure out who you are. They may have to pay to get anything other than your state and city, but often, they get enough information that can be useful in a doxing attack.
When doxing someone, attackers can use packet sniffing to their advantage. Data is organized in packets as it travels across the internet. When a packet is sniffed, the attacker is able to tell what kind of information is within it. In this way, they can grab passwords, bank account information, credit card numbers, and more.
To do this, doxers will connect to a network, get past its security, and then capture the data being transmitted through the network.
As the name suggests, data brokers collect information and then sell it to others for a profit. A data broker will gather information about potential targets by going to several websites that house public records. This may include loyalty card websites, which keep track of your online habits or your search history, to obtain the data they need about you.
In some cases, a data broker will purchase data from another data broker and then sell it to a buyer on the dark web.
What Information Are Doxers Looking For?
Examples of information doxers typically search for include:
- Phone numbers: These can be used to contact the victim directly while pretending to be someone else and then asking questions to get more information. They can also be used to gain access to secure user accounts.
- Social security numbers: A social security number is required to validate the identity of a person on a variety of websites and with a wide array of companies that hold private data.
- Home address: Not only can a home address be used to verify someone’s identity while trying to gain access to a private account, but it can also be used by an attacker to apply for new accounts while pretending to be the victim.
- Credit card details: Credit card information can be weaponized for profit or to harm a victim’s credit rating, as well as gain access to other sensitive information.
- Bank account details: Because bank account details are typically only available after someone has satisfied security measures, they can be used to “verify” your identity for someone pretending to be you. They can also be levied to transfer money from your account to someone else’s or published in a doxing attack to make the target more vulnerable.
Is Doxing Illegal?
In many cases, doxing is not illegal, particularly because the information that is being exposed is already publicly available online. This means that, at some point, the target granted an entity the legal right to publish it. However, the way the information is used may make the overall act illegal, particularly if it involves stalking, threatening, or harassing the target.
Doxing may also be illegal if certain information is revealed. It is illegal to dox a government employee in the United States, for example. This is a federal offense. And while it is not “illegal,” doxing is considered unethical because information is revealed without the permission of the victim.
How To Protect Yourself from Doxing
It is nearly impossible to avoid being a doxing victim because most people have a vast amount of personal information posted online. However, there are steps you can take to make sure that the most sensitive information—that which could do the most damage—does not get abused by a doxer.
Use a VPN
A virtual private network (VPN) takes your internet transmissions, encrypts them, and sends them securely through the internet. On the other end, the data is decrypted so it can be read or used by the other party or entity. While the data is in transit, however, a doxer cannot be able to use it unless they have the decryption algorithm.
Use Strong Passwords
A weak password—such as one that is a derivation of your name, a predictable series of numbers, or a word—is easy to guess by a doxer. However, there are steps you can take to make it far more difficult for a doxer to attack you. These include using different passwords for each of your accounts, using obscure combinations of letters, numbers, and symbols, or using a password manager that generates and stores passwords that are very hard to guess.
Change Your Privacy Settings from Time to Time
If you use social media and post potentially sensitive or private information, you should, from time to time, review your privacy settings and change them. When you use social media for professional purposes, it can sometimes be useful to keep some of your account information public.
Changing privacy settings every now and then can help keep information you do not want abused from being accessed by anyone who can see your profile information, pictures, posts, or likes and dislikes.
Stay Away from Phishing Emails
Anytime you get an email that appears to come from a bank or credit card company, be aware, especially if they are asking for private information. In addition, be careful when clicking on a link to any website sent through an email. If, after you get to the website, you are asked to enter information, you may be exposing yourself to doxing risk if you comply.
Create Separate Email Accounts for Separate Purposes
You may want to consider using different email addresses for social interactions, work, and spam. Your work email, particularly if you are self-employed, would be used for professional interchanges. However, whenever you sign up for an offer or subscribe to something, you can use your spam email address. Personal, casual interactions can be handled on your social email address. Using different logins and passwords for each one makes it harder for a doxer to crack your email address, and if they do, they may not be able to gain access to everything they need.
Keep in mind that a spam email can often be used to go straight to a user account with details in the account profile. It is important, therefore, to make your spam email particularly difficult to hack into.
Keep Your Social Media Privacy in Check
When you post something on social media, it is put out there for the public to see, and in some cases, it could be grabbed before you have the chance to take it down.
Even if you use a pseudonym, it is easy for doxers to figure out your real identity by cross-checking one social media account with another, particularly using your friends and how they mention you. They may refer to you by your real name instead of your pseudonym, thereby exposing your identity. Also, when one social media account has your real name but others have fake ones, a doxer can easily deduce who you are.
Hide Domain Registration Information from WHOIS Lookup
Because WHOIS contains contact information, including information about your physical address, it is best to hide your information when you sign up for a Uniform Resource Locator (URL) or domain name. Making your information private is straightforward, and if you are unsure how to do it, ask your domain registrar.
Be Mindful of Providing App Permissions
When you take an online quiz, it may be administered using an app. To sign up for the app, you may be offered the option to give it permission to access your social media information. If you provide app permissions to a doxer, they can use what they find to attack you. Also, if the app does not have adequate security, a doxing hacker may penetrate their system and get all your information. It is often better to sign up by providing a unique username and password instead of giving the app access to one of your social media accounts.
Protect Your Financial Accounts
A doxer may publish your financial information, so take steps to make sure it is secure. However, if they succeed, immediately reach out to your bank or credit card provider and make sure your accounts are closed or otherwise protected.
Check How Easy It Is to Dox Yourself
If it is easy for you to dox yourself, it is just as easy—or easier—for an experienced doxer. You can try doing a Google search, reverse image searching using your picture, going through your social media profiles, or checking to make sure your email account information has not been compromised in a published data breach.
You can also check your professional profile information, including resumes and curriculum vitae (CV), to see if you're comfortable with that information being available to the public.
Set-up Google Alerts
You can arrange for Google to alert you in the event your name, number, address, work address, or additional personal information appears online. This way, you can stop a doxing attack right away.
What To Do in Case You Are Doxed
If you discover you have been doxed, you should take the following steps:
- Report it: Inform any pertinent parties, such as financial institutions, about what has happened right away.
- Involve law enforcement: If the attack involves threats or if the information was gleaned in a potentially illegal manner, you should contact the police and let them know.
- Document what happened: Use screenshots, download web pages, and take the time to write out what happened. This information can help you keep track of what information was shared as well as help the authorities and others address the attack.
- Protect financial accounts: Immediately contact your credit card company or bank to prevent financial information from being used to steal from you.
- Secure your accounts: Bolster your privacy settings and change passwords for all your accounts, especially those containing information that could be used by a doxer.
- Get support from family or friends: You can reach out to someone you trust for assistance and emotional support so you do not have to deal with it on your own.
How Fortinet Can Help
The Fortinet FortiEDR gives you machine-learning capabilities to prevent the use of malware and the exfiltration of data in a doxing attack. FortiEDR is able to detect threats automatically and in real time. It prevents your data from being stolen from an endpoint by monitoring all data that leaves your network or system and blocking attempts at stealing your information by preventing it from moving outside the protected zone.
What does doxing someone mean?
What does it mean to dox someone? Doxing is a form of cyberbullying that uses sensitive or secret information, statements, or records for the harassment, exposure, financial harm, or other exploitation of the intended victim. This involves taking specific information about someone and then spreading it around the internet or via some other means of getting it out to the public.
Is doxing illegal?
In many cases, doxing is not illegal, particularly because the information that is being exposed is already publicly available online. This means that, at some point, the target granted an entity the right to publish it. However, the way the information is used may make the overall act illegal, particularly if it involves stalking, threatening, or harassing the target.
Can you go to jail for doxing?
If someone uses illegal means to capture the information or if they use it to threaten the victim, yes, they can go to jail for doxxing. In some cases, the victim may be able to make an argument that the doxed information was untrue, and this could involve a libel suit, which may result in jail time.
Why is doxing so scary?
Doxing is scary because it involves exposure of potentially sensitive information to the public in a way that could damage the victim’s reputation or expose them to theft or identity fraud. A doxing attack can also be used to blackmail the target or to embarrass someone’s family or friends. Further, doxing can be a weapon for getting someone fired from a job due to things they have done that their employer disagrees with.