Guide to doxing: Tracking identities across the web

Did you ever consider, how easy it can be to track you down the web just based on a nickname and just little additional information? Let me tell you: In many cases this is very easy. The technique being employed to de-anonymize users is often referred to as doxing, which is derived from the abbreviation of the word “documents”. It relies on the aggregation and linkage of personal information from various internet sources. Reasons for doxing include intimidation, extortion, denunciation and aid of law enforcement agencies.

You are given the username

Let us begin with the most common scenario. You are given the username of some apparently anonymous user, be it a Skype name, an ingame name or some other nickame. As we are talking about a real person behind a nickname, you can assume that the person associated with this nickname has common idiosyncrasies including simple convenience – and convenience is a security and privacy killer. Why do people use the same password for securing a whole bunch of accounts? Due to convenience. Why do people use the same nickname for a set of web services? For exactly the same reason: convenience.
At first, if you know a nickname, hope that the person has been convenient in her choice which means that they use the nickname for other services as well. Look it up using Facebook on http://facebook.com/username, try the integrated Skype contact search or just use Google to find other services like forums or instagram.

You know the Skype name

Knowing the Skype name of a person is a real advantage. A user having a non-standard avatar might allow you to find additional web accounts by profile picture search.
Another method is based on the linkage between Facebook and Skype accounts. In detail, there are at least two ways, this kind of connection can be created: Either the user has once used the Facebook friend finder function, then the Skype user name is automatically linked to the user’s Facebook account, or the user has linked their Facebook account to their Skype account directly in Skype in order to use the Facebook chat within Skype. This can result in an immense privacy leak. If you are friended with the user on Skype, you can use the Facebook friend finder function which is basically a reverse search by Skype name. You are just required to enter your Skype credentials into the form on Facebook and you will automatically be suggested to add all your Skype friends that have their accounts linked to Facebook.

You have the email address

Email addresses also impose your privacy to an immense risk. If an email address is known to a hacker, you can in many cases uses the password reset functions of Facebook being an ideal email validator. Any hacker will just pretend to be some user and submit the email to the password reset form on Facebook. If Facebook cannot associate the address to an existing account, it is not registered at Facebook. If an account can be associated to a profile, you might already see the name and the profile picture of that account. In some cases you will just see the standard profile picture of an account. Actually, the cases when you see the profile picture seem to depend on a mixture of privacy settings and IP address range matching. Although my profile picture is available to friends only, Facebook does display it for my account when I use the password reset function.

Finding by profile picture

If you are given a unique profile picture that is not some common internet meme, you have a chance to find associated accounts using the Google image reverse search. As many people do not have their Facebook timelines indexed however, this chance is rather tiny. If the profile picture you want to search was a Skype image and the Skype name was “test”, you might consider to download the profile picture directly at http://api.skype.com/users/test/profile/avatar instead of risking that taking inaccurately cropped screenshots reduce the chance of finding it with Google.

Profiling by friends

Profiling by friends is actually a method which requires some more work. This is especially useful if you could not retreive information which was obtainable more easily. In this case you are given some web account which exposes some names of a user’s friends. Services like Ask.fm or Instagram might allow you to find out whom a person is interacting with very frequently which might be an indicator for a closer relationship like real-life friendship. In this case, the approach consists of googling these names together using quotation marks. E.g. you know the URL of the instagram account of a person named John Doe you find out that John Doe frequently interacts with Max Mustermann and Erika Steinbach, I would suggest to google for “John Doe” “Max Mustermann” “Erika Steinbach” (with quotation marks) or “Doe, John” “Mustermann, Max” “Steinbach, Erika”. Results you might find include school, sporting events or work relationships.

Fetching Facebook accounts by known properties

Another privacy killer is the Facebook graph search allowing you to query identities based on preferences or other properties. Useful phrases include “People named John”, “People who live in Berlin”, “People who live near Berlin”, “People who have friends named Max Mustermann named John Doe” “People who work at Google”, “People who like Google” where Google in the last two cases refers to a Facebook page. In general, the principle applies that less people matching a criterium result in a faster search. It is also possible to combine two statements with the conjunction and, e.g. “People who like Google Chrome and Mozilla Firefox”. However, you should note that this option relies on the search criteria being available to a public audience which was beforehand chosen with the Facebook privacy selector.

Finding additional details using Facebook

Using the password reset function, Facebook provides a useful feature: Facebook validates the email address while exposing it partially showing the first character of the local part, the last character of the local part, the first character of each domain label and the full top-level-domain (like .com or .net). For example “john.doe@hotmail.com” becomes “j******e@h******.com and “max.muster@subdomain.example.net” becomes “m********r@s********.e******.net”. Now it’s time to guess the most common email providers. You are well-advised to test GoogleMail (gmail.com, googlemail.com), Hotmail (hotmail.com, live.com) and Yahoo (yahoo.com) in that order together with the most common combinations of the first and the last name. If people use serious email addresses, you might try firstname.lastname@emailprovider.tld. Remember that emails are validated by entering them again into the password reset form.
If you want to circumvent Facebook privacy restrictions while staying anonymous, you might create a fake account and send friend requests to friends of the target person. Only one friend accepting a request means that you will now be able to see all information of the target person made available to their friends’ friends. One hint is to add a fake profile picture to your account since this perceivedly increases the chance of the requests being confirmed exponentially – at least as soon as you already have some friends in the people’s social environment – because many people look at common friends when they decide whether to accept or decline a friend request. It might also be worth a try to request the target person’s friendship directly.

Finding by telephone number

This is an easy task. Use the Facebook password reset form and enter the number into the text field. You might get the name of a Facebook account associated with the number. Secondly, try adding the person to your phone contact book and use common applications like Whatsapp or Snapchat to find a picture or another nickname of the person. Also Skype supports a backwards search querying Skype accounts by telephone numbers.

Finding by domain name

Use WHOIS-servers to find people’s addresses and full names very fast. On the Internic website you can find out where to query full whois information for .com- and .net-domains. A faster way might just consist in looking out for legal information on the webpage.

Finding location by IP

If you have given an IP address, you might use tools like Utrace or Ip-Adress [sic] in order to find the approximate location for a user. Services like MostwantedHF or other so-called Skype-resolvers allow you to find your IP address based on a Skype name under certain conditions, although this mostly just works when the user is currently online.

Finding details using git

Sometimes, git logs from platforms like GitHub may provide additional information about the real identity of a person. Cloning a repository and then executing “git log” may suffice in order to find out real name and email address.

Clickjacking vulnerabilities

Clickjacking is a serious threat to online anonymity. It refers to a technique tricking users into clicking an invisible element on a third-party site (e.g. a social follow button plugin) without noticing the click to the plugin. As pointed out in another blog post, Facebook followjacking allows to automatically retrieve public information from the Facebook profile of any logged in user clicking onto a malicious element within any website.

To conclude: All methods do more or less rely on the name uniqueness of a person’s real name and the fact whether a person just one single or a whole set of nicknames. In general, one approach is to throw everything into Google, Facebook search or Skype and other online monopolys.

If you are interested in how to prevent being tracked, keep an eye on this blog as I soon want to post some ideas of countermeasures.

You are not anonymous on the web. Never. In many cases not even for private persons.

Bookmark the permalink.

One Response to Guide to doxing: Tracking identities across the web

  1. Pingback: Wikipedia Entry by Bláthnaid King | edit4credit

Leave a Reply

Your email address will not be published.