Nov 28, 2017

Have you ever heard of the word “doxing”? Doxing sounds complex, but it’s actually very simple. It basically means to gather important data about a person and publish it on the public Internet.

People often get doxed for revenge, but doxing is now being used for profit. In this report, we will mainly focus on the latter one, and discuss the consequence of being doxed, how cyber-criminals make profit in doxing business and what countermeasures could be taken.

1. What is doxing?

Originating from the word “documents”, doxing (or doxxing) basically means to gather lots of important data about a person and publish it on the Internet with a malicious intent.

The word “dox” could be the information such as a person’s name, social security number, phone number, physical and email address, passwords, MAC and IP addresses, etc. In fact, dox could be anything and everything that people leave in the real and online worlds.

Doxing is less about the availability of the information, but instead more about the way it is used to intimidate or harass a victim. People often get doxed for revenge. Sometimes it’s hacktivists shaming someone for a cause. Creating the sense of panic is the typical goal of this kind of doxing.

2. What could happen after being doxed?

In August 2015, hackers who claimed to have stolen data from Ashley Madison, the dating site for married people, posted nearly 10GB of said stolen data. That includes member email addresses, credit card transactions, and even profiles. The hackers published those information on the Dark Web(1)*1, and those who’ve already downloaded it said they found all kinds of juicy gossip*2. In this way, doxers often use the dox to create the illusion that they have totally invaded your personal space to create the sense of panic by implying “I don’t know what will happen next”. A New Orleans pastor committed suicide after his name was discovered among the stolen data in the Ashley Madison hack. He reportedly feared losing his job if he was discovered as a user of the spousal cheating site*3.

What more disturbing is that nowadays doxing is not just used for shaming a victim, instead it is being used for profit. Big profit.

With the liveliness of the Dark Web markets, the dox is valued by cyber-criminals. With the dox, cyber-criminals could target companies directly and indirectly through their executives and employees, then further cyber exploit a business.

For example, a doxer may target a company’s CEO and sell it to another cyber-criminal. The cyber-criminal can then use the dox to effectively impersonate the CEO in a sophisticated phishing campaign aimed at, for example, transfer fraud, which is called BEC or whale phishing*4. The more real and believable the dox is, the more likely a cyber-criminal is to succeed in impersonating.

In this way, doxing can be used to perpetrate financial fraud, and it might also result in a wide variety of other harms.

  • (1)The Dark Web is a collection of thousands of websites that use anonymity tools like Tor and I2P to hide their IP addresses.

3. A new branch of the hacking economy

Since a single dox can yield a wide variety of valuable cybercrime threats, doxing is now growing into a branch of the hacking economy.

In December 2015, inside Chimera ransomware, the first ‘doxingware’ was observed in the wild*5.

At the first sight, it appears just like other ransomwares that encrypt user’s files and demand ransom for decrypting them. What makes it different is that it added another feature to stress its victims. It threatens that in case if the ransom will not be paid, all the stolen files are going to be published, along with the stolen credentials allowing to identify these files’ owner. Fortunately in case of Chimera authors didn’t decide to really upload the files to the server, so it turned out to be a bogus threat. However, real ‘doxingwares’ might appear in the near future.

In fact, the market is so robust, some cyber-criminals are even offering the “doxing-as-a-service”.


Fig1. The homepage of Ran$umBin

There is a website on the Dark Web called Ran$umBin (Fig1). What Ran$umBin has done is turning dox collection and publication into a business. It offers the platform for cyber-criminals to upload doxes and accepts ransom payments from victims who want their information to be removed. The cyber-criminal who uploaded the dox will get 50% of the ransom that victim paid.


Fig2. Ransom cost by category

The ransom to pay depends on the category assigned to the dox by the person who uploaded it (Fig2). The categories are rather basic: pedophiles, revenge, miscellaneous, law enforcement and famous people.


Fig3. Three packages of the dox collecting service

In addition, it also provides a dox collecting service, which includes three packages with different level of doxed information (Fig3). It promises to collect a complete profile on a person for $150, and if they fail to collect the dox, the ‘client’ will be refunded.

4. Countermeasures

If you have already been doxed, you should take actions to mitigate the circumstances. Once published, sites like Pastebin, which are often used to share doxes, have procedures in place*6 for removing private information. Twitter has also recently made doxing a violation of their terms of service, and accounts used to harass in this manner can often be reported and the offending posts removed*7.

What’s more, since doxing is a precursor to other threats, it is important to establish what information may be translated into credible threats.

As described before, accounts and passwords are often used to impersonate victims. If one of your accounts has been compromised, immediately attempt to recover it, and change the passwords of all service with the same password. In the case of credit card numbers, banking information, social security numbers, and anything of this sort should be reported immediately to the relevant institutions. The bank, credit union and law enforcement will recommend further actions to take to prevent further fraud and identity theft.

However, it is vital to take proactive and diligent steps to continuously monitor risk profiles. Sadly, Kaspersky also predicted that doxing will continue to rise exponentially in their security bulletin of 2016 predictions*8.

Cyber-intelligence companies, which provide credential monitoring services, keep gathering information from underground forums, IRC channels, the Dark Web, Pastebin and other sources and will raise an alert the moment their clients’ credentials are found compromised. They are able to recognize and respond to doxing-driven cybercrime and help their clients respond in a much quicker way.

How to technically prevent the doxing on the user side has not yet been established. In case you are doxed, panic can set in quickly, but please try to keep calm and take actions to mitigate the circumstances as soon as possible.


Authors Profile

Fei Feng
Security Engineering Department
Technology and Innovation General Headquarters

Fei Feng joined NTT DATA in 2015. She was engaged in a wide range of information security R&D, including the evaluation of cyber intelligence services, malware analysis and digital forensics. Currently, she is responsible for the evaluation of security products.