Managing Doxxing-Related Cyber Threats
Mark Lanterman | July 21, 2017
With the rise of personalized social engineering attacks that seek to exploit human vulnerabilities, such as spear phishing and CEO spoofing, it is important to understand the methods by which cyber criminals gather personal information for the sake of harder to spot attacks.
The fact is, I think many people would be surprised by exactly how much information is readily available about them online. If you are active online, your personal information is collected, stored, and distributed. This is probably done without your full knowledge, let alone consent.
We tend to be cautious when it comes to giving out personal information in real life. Most of us wouldn't give our phone number, address, or kids' names to a stranger on the street. However, personal information like this is widely available online, even though we often think of ourselves as being anonymous behind our computer screens.
What Is Doxxing?
The buying and selling of personal information online is referred to as doxxing, and it helps cyber criminals enact spear phishing, CEO spoofing, and ransomware attacks. Information like health and legal data are now more valuable on the Dark Web than credit card numbers, but it should be said that doxxing is not an activity confined to the Dark Web. In fact, many popular websites that are open to the general public can provide a cyber criminal with useful information to construct personalized spear phishing emails. These websites can sometimes be disguised as ancestry websites, while others gather information from other resellers to be compiled into one location.
Many people want to remove this personal information once it is found to be online. Several major personal information reseller websites provide opt-out information, which allows individuals to remove their information from these sources. However, some websites are better than others at providing clear turnaround times and procedures. I have listed the names of several major personal information reseller websites and corresponding information for those who are interested in limiting the amount of personal data about themselves online.
| Links to Opt-Out Form for Major Personal Info Resellers | Verification Needed | Turnaround Time |
| https://pipl.com/help/remove | Pipl is a search engine that does not host personal information, but it is a good starting point for identifying personal information from other sources. | Depends on other sources from which Pipl populates its search results |
| http://www.beenverified.com/optout | Email address | 24 hours in most cases |
| http://www.checkpeople.com/contact | None | 7–14 days |
| https://www.intelius.com/optout.php | Government-issued ID | 7–14 days |
| https://www.peoplesmart.com/optout-go | Email address | Up to 72 hours |
| http://www.publicrecords360.com/optout.html | State-issued ID | This site does not disclose turnaround time. |
| http://www.spokeo.com/opt_out/new | Email address | 30 minutes |
| https://support.premium.whitepages.com/hc/en-us/requests/new?ticket_form_id=549628 | Email address and phone number | Immediate |
| www.zabasearch.com/block_records/ | Redacted state-issued ID card or driver's license | 4–6 weeks |
| http://www.zoominfo.com/lookupEmail | Email address | "Within a few days" |
| http://www.familytreenow.com/optout | Email address | Unknown |
Those who choose to visit these websites may be surprised to see the kinds of personal information available about them. Some may be especially shocked to see that their personal information links them to others. For example, your current place of residence may link you to the previous tenant. Searches for ex-spouses, roommates, or employers may bring up an individual's name by association.
It should also be noted that these websites repopulate. That is to say that even if you successfully remove your private information once, it may return. Opting-out may be an ongoing process as opposed to a permanent solution, which may be frustrating for those trying to control their digital presence and manage risks associated with cyber-security threats.
Doxxing Risk Management
For the purposes of risk management, understanding the scope of your digital presence is critical. Minimizing the amount of personal information readily available about you is possibly a first step to reducing vulnerability to certain cyber attacks. If you wouldn't want the stranger on the street to know your address, odds are, you don't want the stranger online to know it either.
Recent trends indicate that cyber criminals are opting to take advantage of human vulnerabilities over digital ones and use personal information to trick victims. Unfortunately, cyber criminals tend to be fairly good at working smarter, not harder. In many instances, no "hacking" in the traditional sense is necessary to reach confidential information. Doxxing is an easy way for cyber criminals to retrieve information that helps get their foot in the door, no digital vulnerabilities required.
CEO Spoofing
Cyber criminals seem to have improved their tactics. As technology and potential victims get more difficult to trick, these individuals have to up their game. With few exceptions, I think that the majority of people are able to spot, for example, the Nigerian prince email scam. Scams like this are outlandish, and most people have heard of them. They're so absurd; this scam seems more like a joke than a threat. The problem is, some people seem to think that this is what an email scam still looks like. Now, a majority of cyber criminals do their homework when it comes to laying the groundwork for a successful attack.
For a person constructing a fake email, for example, the more information you have about the potential victim, the better. In addition to the victim's name, knowledge of the person's location, workplace, and bank can be instrumental in shaping the attack. A CEO spoofing-type scam also requires a high degree of information about the apparent "sender." For example, a cyber criminal pretending to be a company's CEO sends an email to someone in the accounting department requesting a $50,000 wire transfer while the CEO is out of the office on a business trip. In addition to trolling personal information reseller websites, a cyber criminal may also review social media accounts to gather relevant information about the involved parties. This adds yet another layer of believability to a fraudulent email. The higher the degree of personalization and "realness," the more likely it is going to be that a victim complies with a request.
These kinds of threats pose a great risk to an organization's assets and reputation. A Minnesota-based pharmaceutical company lost around 50 million dollars as a result of a CEO spoofing campaign that occurred over the course of a few months. The degree of attack personalization made the employee believe the wire transfer requests were legitimate in spite of several red flags, including a rush to execute the transfers with a focus on confidentiality, obvious departure from typical protocols, the sheer frequency and amount of the transfers, and the suspicious names of the banks to which the transfers were supposedly being made. The lesson here is that, even if there are several red flags, a victim may still believe an email to be legitimate if it looks real enough. And if this happens, the damages can be great and irreversible.
Conclusion
In addition to employee education and training when it comes to recognizing and addressing potential social engineering threats, understanding the doxxing process illuminates exactly what kind of information might be available and helpful in executing a cyber attack. Taking the time to opt-out of personal information reseller websites may be a valuable component of cyber-security procedures. Being aware of your online presence is important, as the difference between "real-life" and online activity is ultimately less distinct than it may seem.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
