EI-ISAC Cybersecurity Spotlight – Doxing
What it is
Doxing is the malicious identification and online publication of information about an individual. It can include Personally Identified Information (PII) or other sensitive, private, or damaging content about the individual or the individual’s family members. Malicious actors dox victims in an attempt to harm them via the public exposure of their information.
Doxing is commonly retaliatory in nature (e.g., in reaction to controversial political opinions or actions). It may also be threatened as a means to extort victims, strategically compromise a person to influence their actions, or to affect public confidence in processes or systems. In some cases, doxing attacks contain concocted or factually inaccurate information designed to slander the victim, which sometimes mistakenly affects other victims with similar names, titles, or backgrounds.
Content posted on social media platforms and other publicly available information, such as home and work street addresses, email addresses, and telephone numbers, often act as the foundation for doxing attacks. Though this information is publicly available, it can be used in aggregate with information from paid services or illicitly gathered information. Depending on the skill and resources of the actor, doxes can contain information from compromises and data leaks, including financial or medical records, passwords, compromised account information, and email content.
The aggregation of information enables malicious actors to turn otherwise harmless content into a damaging collective. For example, separately, a person’s last name, place of work, or home address is generally innocuous. However, when this information is combined it could constitute PII and be weaponized against a target, especially if coupled with account information, passwords, and financial records.
Why does it matter
It is possible that malicious actors could dox election officials or their families to publicly shame, embarrass, or discredit them or the electoral process. Although this has not yet been reported within the elections sector, malicious actors may threaten a doxing attack in an attempt to extort their target for financial purposes, access to additional sensitive information, or in response to alleged political injustices, controversial political opinions, or actions.
Doxed victims report receiving harassing phone calls, faxes, and emails, having compromised credit cards used to harass them, having strangers sit outside their house, and having phone calls made on their behalf. It can result in innocuous activities, such as having a pizza ordered, but it can also result in life-threatening activities, such as a call to 9-1-1 claiming an intruder, who looks like the victim, is committing a crime at the victim’s current location. Additionally, a successful doxing attack increases the likelihood that the victim will experience future identity theft or financial fraud as doxed information is intentionally posted online to allow other malicious actors to use the information, too.
In 2015, the Federal Bureau of Investigation (FBI) released an alert on the doxing of public officials after malicious actors successfully doxed the then Director of the Central Intelligence Agency (CIA), John Brennan. In this incident, actors used social engineering tactics to gather enough information from the telecommunications company, Verizon, to be able to reset the password on Brennan’s email account. The account was then compromised and used in a doxing attack as it included troves of Brennan’s personal, family, and work related information.
What you can do
Election officials should consider reducing the amount of personal information about them and their family that is posted online. The standard rule of thumb is to avoid posting any content online that you would not want to be broadcast on the evening news and to understand that everything posted online becomes a permanent part of the internet. Such information includes anything identifying nonpublic jobs, hobbies, family, friends, or frequent locations as this content provides malicious actors with additional research avenues to further exploit and target a victim or their loved ones.
Likewise, this information (i.e. a car’s make, model, or color; a first job, address, or telephone number; or mother’s maiden name) can be used as answers to security questions to reset account passwords, resulting in further account compromises and doxing attacks.
In addition, election officials should understand what is posted online about them. To this end, conduct routine searches on names, telephone numbers, email addresses, and other identifying information and consider enabling privacy setting on social media accounts. Most websites have a way to request that information be removed and election officials should consider removing sensitive or inaccurate information about themselves and their families.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.