The Price of Privacy: Doxing and De-anonymization in the Digital Age

[music]

hello everyone and we hope that our presentation will be interesting to you for variety as they said we will speak in Bulgarian and we will talk specifically about and our our online and our digital footprint that we leave behind with all the communication social networks that we have actually how it can be exploited and subsequently what are the risks of this thing and what can happen my name is Kaloyan Ivanov and together with my colleague Nikola Georgieva we work in Group Sense we deal with intelligence and our job is basically to actually dig into the dp dark web to communicate with the cri and actually to manage to get yes to collect information about the aces even at the moment when they

are in the access brokers so that we can notify our clients before any kind of attack has been achieved and I have been in Group S since 2020 and I am actually responsible for the advanced research team there is actually someone who digs into the deep dark web creates the personas and communication with the editors and I am Nikola Georgieva as they introduced me to me by the company from 21 first year with a humanitarian background nothing to do but thank God they took me because I found my passion and so yes that's it and so we're going to talk about actually what we're going to talk about today with you and first what is

doxing and why is it dangerous what can this lead to then we're going to look at a case study actually which we're going to show you step by step how it's done here you know which information is used that can be extracted and accordingly we've divided it into the relevant relevant tools at the end of this we're going to do a series of what information we were able to extract through dong and actually how it can be used and we're going to give you some advice on how you can protect yourself from this thing and what you can do so what is dong actually represents a method of analysis resch with which public information is collected

and as well as confidential information about a person and as a result of which this information is published by the editors for a variety of reasons basically the information that is collected is name date of birth ssn or ign in our case and driver's license number personal correspondence personal photos workplace properties which does the person own taxes, whether he has paid or not, and so on, in general, the set of information that can be collected is very different and so it varies from case to case, and most often the perpetrators of the so-called doxing are editors or hackers, and they use this thing in most cases to acquire information about the target on which they have

started working, and subsequently it can be used for phishing or high-stakes phishing, and so on, and but this is observed not only among editors, it is also observed in ordinary people who do this thing, students who are angry at their teachers or exes and decide to publish all the information online with the idea of taking revenge or harming someone, and for this reason, doxing is actually offered as a service in the dark web, there are quite a few tutorials, quite a few services that are paid, right, to dox someone, and as there are quite a few sites that are actually their goal, where people who have done doxing can share this information, on this slide you can see

an example of the largest doxing site. doin in this case this is a sk or at least part of his docs the information is not complete because it is quite large quite voluminous the docs itself you can see some of the information that was extracted for him name address phone number social networks and as well as further there is also a personal documents why doxing is actually dangerous and it in addition to revealing our identity our private life shows it to the public brings out personal information it can be used and as as I said already right the first step for for high phishing or any other social engineering namely collecting information about this target subsequently it can be better to

carry out this attack also is not to be neglected and and security physical security because after information is published about the person where he lives or what he does where he has been this if especially if he is a public figure and can and so can lead to a physical fight

aa also not to underestimate the information collected from our personal documents which no matter how much we try to hide through various faces leaks aa this can lead to identity theft and namely someone to take out a loan in our name to start a company in our name and then God forbid it comes to something worse and as you can see we have put on this slide several news articles related to doxy namely one case that maybe you all remember recently happened how a person had transferred 26 million after a fairly targeted attack using deep fakes and why dox why actually we dox a small disclaimer we are not dox because we perform the first steps of the

dox collection the analysis of the information processing and but we do not publish this information but we give advice to our clients on how they can protect themselves from this thing we identify vulnerabilities in their and so their digital footprint and we do it mostly with the aim of giving this advice to protect themselves from possible subsequent attacks another thing that dox singa can be used for and yet treda acre are people and they communicate on social networks and they make mistakes the bigger a treda acre the more self-confident it is the more and does not follow the rules that it is with when has started and the more the greater the likelihood that we will find it so in the

same way as editors doc people to carry out attacks in the same way we doc trada actresses to reveal their identity so that in the end it leads to an arrest eventually and so we get to the interesting part and that is that for the purpose of the investigation we have used a real person but in order to protect his identity and not to doc real we have actually hidden his name John Doe we have named him any personal information that can be identified is blurred and also in the process of the investigation in principle we compare every piece of information that we see at least from several sources because it is not always true and we have to be

sure that what we find is really so and and I give the floor to my colleague so and the first step that we take to do such a research is social media very often and in general most in 90% of cases people do not realize how much sensitive information they provide absolutely free to everyone and really without money this is valuable information this is your information in the relevant case we have found linkedin the account accordingly this is of the ceo of a great person linkedin is a gold mine for information because there you have years of work exp years of education back you in this case right as you see 1979 it can be assumed that

doing the simple calculation that this person was born around 61st most likely 61st and accordingly from linkedin you also have the locations of the companies he can work in a large international company it is not necessary to be located there but it is still some kind of prerequisite and a step forward in under the name itself here it is not visible in the screenshots we all know the location in which he is located is not a person and on facebook also and we have a hometown city which is actually currently my current habitat and there is someone you are tied to and family and whether your profile is public or not that does not matter because at some point in time when

you created it this profile was most likely public which means that this profile was certainly once public on the internet once this data is on the internet this means that they will forever remain there because there are many scrapers and ub archie is one of those in this case we had found with the link to it has been edited that is to say it is not it is no longer public to that extent this profile but with there is the link itself and on the profile we managed to do it through scraping aa right a family photo which is no longer accessible but in the current profile but it is accessible because it was public at some point

and it was scraping you can see that he is not officially linked on facebook but judging by the posts by all the information that we have been digging around we have found we catch a post in which we find Jane next to which it says right hmm mebi it is worth seeing her profile and from her profile when you enter there are already family photos it turns out that she has two children and in general the whole relationship between the two of them is already much more established this whole thing we already have universities work background and state in this case a year of birth presumed and a wife too which is important for the next stage of research and

we have a pretty good base if possible the next slide a with which now I will actually show you and I guess most of you know these docs they are super basic docs but I encourage you personally each of you to try to find information about yourself before someone else finds it and these are really the simplest docs using quotes with your full name is the easiest thing ever and if you want something more specific along with your name whether to see email n number or not physical address easy if you are looking specifically on some site you want to look for some on some site you put the site in front what I recommend you the

most is maybe a try this one with sp bein and because in p bein there are a lot of docs so you never know maybe trying and as in dox bein these are the biggest platforms in which there are a lot of docs and accordingly with docs you can search by file type to see if a cv or some other document that is related to you can be found with such commands we have found confidential documents of very large companies which since big companies are liquid things we can assume that we may have something and in fact just for google dorking many of the hackers use it because there is besides what are very basic commands right docs

and there are much more and targeted docs with which you can see potentially vulnerable sites and in this case we have shown them on a slide on the slide we do not want to encourage such things but and there is a dork with which you can see weak sites vulnerable sites to sq inzhek of course this is the first step and subsequently you have to go through many other things to get to the point where this attack can really take place but this is really a good first step and so with google docs and with several platforms that we have used we have managed to find and connect the following information in this case we have the current address of the person and

we see we remember on facebook it said illinois it said the city accordingly it is quite possible the name matches the name of the second ur who is his wife which we proved earlier also with matches with the other addresses through again all kinds of google docs and they are checked there are also outrageously many platforms that offer this interface especially for Americans which also checks whether at some point they were connected and with this person so and the next step we already know actually we with google the docks we have identified and the name the supposed year of birth or around it correspondence we proceed to the next step dv dark web and we have found

his email respectively from linkedin or from facebook or through google the docks the first thing we do is of course enter a market for the same logs and check if there are any of his expired renli of course in this case we have put some num nl but as you can see on the top slide this is that on the top screenshot this is from one of the markets and in fact some larry steal besides username and passwords steal documents steal screenshots steal battle passes and so we at one point having this information can take this person's life so to speak and the other thing that is found in dp dark web are precisely faces and combo sheets in general some

expired bases that are sold give away and so on in this case one of the markets has a Bulgarian combo sheet Bulgarian tracker and this is a real thread actor we did not create it for the presentation and so as you can see they are sold and In this case, these are given for free, a combo sheet of username and password, email and password, which can then tell us or find the password of this person. There are other such platforms that collect databases, the most famous of which is he. Our company has its own tool that deals with this. We have a fairly large set of databases. So, subsequently, searching with the indicators that we have,

we collect additional information. Another thing that can be done in the DP dark web. In this case, since the person is American and has SSN markets, SSN is the alternative to our own, and in general, we find his social security number in the SSN market, and according to the address that we have already understood and the supposed year of birth, keep in mind that you can find an SSN from a normal person to a politician for $7, in the sense that it doesn't matter what he is, it costs $7, which is literally free of charge. Don't worry, there really is no market for psi for oppression, but there is such a huge amount of databases of Bulgarian

insurance companies, not to mention the NPC, which simply anyone who knows how to use Google can find this. leak and to check it doesn't even need to be checked so yeah and so here we continue with this to upgrade the resch itself for the person thread module for which we are striving and at the bottom left you can see one then he is quite useful then he is called os with it you check mainly gmail absolutely not the anonymous email that you can use and and it comes out absolutely elementary you get to the following information the name of the person id then google maps from where you can see the reviews and photos that he

left on the reviews you can and to prove again the information where he is at the moment in which city he is where he has been where he has traveled and keep in mind that quite a large number of people leave reviews constantly most are negative less are positive but even the negative ones work and from the google calendar you will also be amazed how many people and leave their private not make the events and accordingly with this link there is access to them which also provides a huge amount of information and with the last one is actually we ahava which I told you earlier where we found that rap nato a post which is no longer is

public since 2019 with which we actually proved the family connection from his wife's profile and for phone numbers there are actually an outrageous number of reverse phone number services free paid it doesn't matter at all there is in this case we also use our tool tr sj which also helps for this but and in this particular one we found that this phone is connected to dndo and the address is reversed but it is still illinois and and a is an address that we previously found in the previous platform that we showed you on the earlier slides another interesting thing that we were able to find for this person and again through dorko is a vin number the vin number turned out to be

on a car from 2011 some chevrolet which is connected to john doe right he as ceo is a little suspicious why he has such an old car x unos yes I don't know but and and the number that was below actually proved the connection because it is john doe junior's it proved the connection between the two and even more confirmed it because simply the number was connected to his son and confirmed all the information from facebook and from all other social platforms that we were able to find and other tools which we use respectively for collecting information are command tools most of them are in delta in c linux so everyone can use them and the first one we will

talk about is shl and shock checks for the presence of various us for the presence of a certain username in various social networks and we have found the username in the previous faces whether it will be from the inf slog that we found or from some of the databases but mva sherlock it extracts a huge amount for us and social networks in principle this thing can also be done with google docs as nikol said earlier and with a site respectively and to search for the specific username but the advantage of this is that it is automated and much faster and it checks about 300 social networks including some that are no longer used like myspace and that is to say

the person may have some old account that we can find in this way and the problem with shw in principle is that by design it checks puts the username in the url and in this way it is possible to get to some fse poses so we have to be very careful from the information that we have collected in this case we see that there are 241 results for that this username just opens up more work to check and compare information but it is really quite a lot f it and the next one these are extremely some of the most popular tools that we provide the more you dig the more tools they are outrageous but github just has a

great amount and they are all quite useful and although I say that gmail is extremely masses extremely non-anonymous and alternatives like proton mail are preferable I had found two tools that gave the digital foot print of proton mail and they really did the job by the way I managed to locate quite valuable information about this person and the next one hey mail mail does the job of our product and not many other products at all but it has 12 epics that you can set up to check whether the respective email has been compromised or what in fact most hackers use it is that with their local databases that they have collected which in some cases are literally

terabytes they set up in tu and check with it through them aa moss should also be built into the normal package if not you can always install it through github it and checks in different with email in different social media whether there are accounts dns ip and any other information that can be extracted and these are again I recommend encourage if you haven't tried it try it is interesting at least and we get to the point that with 90% public information we find those 10% that should not be public namely ssn and this actually proves how and really just with a dose of more interest creativity and logical thinking a person can reach and and to get

to sensitive information and below there is an example from ey which the colleague will talk about it and yes as we said right this is one of a as well as other products so ours collects and checks multiple databases this is a result application in accordance as see in respectively as you see again we reconfirm and the date of birth ip address this time we find is not necessarily his but can be further carried out supplement the research so to establish whether or not he is he, the email password is visible, as well as the password hash, and sometimes multiple clear tex passwords, which is not very okay, and we see the address again, and other usernames that are

associated with this email can be found, and the date when it was found, there are quite a few similar tools, h poln checks, but it does not give us the result, for example, but there are also some additional ones in the tp dark web that directly spit out information similar to this, and in fact, as you saw, we managed to collect everything about this person, and where he lives, and what is the name of his family with their photos, what car he drives, what house he has, his phone number, email address, passwords, username, other social networks, including ss, this whole thing can lead to several specific steps, this whole thing is a kind of thread modeling with

which every cyberattack in its larger proportion starts with him, and because you, in order to send at least a phishing email that is not the best phishing email in the world, I have seen extremely professionally and well made targeting the person in question phishing emails that if they reach an employee who is not in our industry I would not judge them for clicking on them in the sense and that is why they may be basic but we often ignore them precisely because of this these are a few steps that each of us needs to take and always be on the alert the first is please do not connect all your accounts to gmail or any email in general but but

definitely not with gmail and with gmail there are so many platforms that do an investigation of the platform itself that it is simply insane how much information comes out of this email if you are still a public person and you need you need to have a public profile and set your posts that you share photos with family or something more sensitive do not accept just any people as friends you never know who will be what and of course we all know it use strong passwords at least 12 characters lowercase uppercase special characters numbers and change them often and yes no matter how banal these things are they really protect and the other thing that we can

use is vpn vpn anyway time hides us to some extent and the IP address so even if some information is collected from us we change our password often hiding our IP address the information that is collected and subsequently expires is not necessarily the real one and the other thing is if possible do not put your username but your full name and id right and I hope that is clear to everyone but in the end it turns out that is not the case many people use personal information that they use in their username so that they can be exploited for the full next investigation and try as much as possible not to put your personal names on your profiles right now we all

know that linkedin is a great place to find new opportunities but it is not mandatory to put all your full names or your full name can be an abbreviation as close as possible so that it protects us and in addition to the standard things that we said about the attack another thing that can be used is sim sloping and when a thread already has all the information available that we showed that it is possible to collect it can to call your telecommunications operator and say hello, I'm John Doll, I lost my SIM card, this is my date of birth, this is my EGN or SSN, in this case, please send me a new SIM card,

something else, security questions, forgotten password or the password is not secure, we all know, right, which city you are from, the name of your pet, your mother's maiden name, all these things are already collected and available for the thread actors so that they can skip even such a thing, and well, that's all from us, and actually, as a final word, I would like to tell you about a case that was presented as a news headline a little earlier, and there was a case in Hong Kong in February where an employee transferred 25 million, 25 million, in fact, he was contacted by a so-called sieve, I think, or some kind of boss, and he said, so and so, I need to

transfer this money, this is by email, the employee is skeptical, it's not that, he wants a personal meeting, but the next moment he tells him, I can't, now it's personal, let's make a call with me and with others. Corker gets into a car, a person there, maybe 10 people, I have no idea how many, it doesn't matter, the point is that everyone in the car turns out to be fake, he transfers the money, about 25 million goes away, and this is pure proof of how with a aa good enough asin because they knew who was authorized for this company to transfer such amounts, they knew his employees, aa they knew, right, which employees he was

closest to, all of this is asin and a big prerequisite for a future attack, which in this case was, right, carried out, just be really careful what you share on social media, because a very large percentage of attacks start with the easiest entry point to the system, namely a person, and that's it, thank you if you have any questions [music]