Graham Kates, an investigative reporter, shares the types of data cybercriminals can look up about anyone on the Dark Web.
CNET and CBS News Senior Producer Dan Patterson sat down with CBS News Investigative Reporter Graham Kates to discuss the types of data cybercriminals can look up about anyone on the Dark Web . The following is an edited transcript of the interview.
SEE: Dark Web activities: 10 signs that you've been breached (free PDF) (TechRepublic)
Dan Patterson: The Dark Web is full of guns and drugs and other terrible things, so we had a company look for us on the Dark Web. What did they find about you?
Graham Kates: They found data.
Graham Kates: So they found spreadsheets of information. Not just me, but lots of people, and it was a variety of information that you can then put together to learn more about individual people. But I should note, it wasn't actually me that they found information about. My address popped, and there was information about neighbors who had lived in my apartment building, and it wasn't just little bits of information. These were from what are called Fullz and Dumps. So these are like full portfolios of information about people. Their names, where they're from, that kind of information. Then you can use that to do all sorts of stuff.
More about cybersecurity
- Cybersecurity no. 1 challenge for CXOs, but only 39% have a defense strategy
- Why deepfakes are a real threat to elections and society
- 10 signs you may not be cut out for a cybersecurity job
- Dark Web: A cheat sheet for business professionals
Dan Patterson: In this portfolio of information about you and your neighbors, give me some examples of what's in those little rows and columns inside the spreadsheet of information that we call data.
Graham Kates: So one particular thing that came out, it was actually information that had been called from a campaign donation database, and so when you donate to a campaign you say who you are, sometimes you put where you're from, and of course how much money you're willing to give, which is an indication of how much money you have, if it's a lot of money. And then they were able to, of course, match this to the actual address where the people came from. You have this information and then maybe for instance you have an email address—you can really start to put together a profile of a person to replicate them. I bring up email because that's where you were vulnerable.
SEE: We found our personal data on the dark web. Is yours there, too? (CBS News)
Dan Patterson: Yeah, so it turns out that I was included in a number of different dumps. My email address, as well as my phone number and my UD ID. Now my UD ID is my phone, my iPhone's unique device identifier. With that information I was able to plug this into a Google map and see exactly where my phone had been at almost any given moment in time.
Graham Kates:You were truly much more vulnerable on the Dark Web than I was, and I'm really happy about that. My random address pops up but that's it, I mean, your UD ID is everything about you in some ways.
Dan Patterson:The most terrifying thing about this was that it was in a database of about 12 million records.
Graham Kates: Okay, so our information was on the Dark Web, which is not the kind of stuff you can google for, but on these marketplaces that have really cliché lines of names, Omerta and Black Stuff, but some of this information you can get just by Googling or searching people on the surface internet, right?
Dan Patterson:Yeah, I in fact found my stuff, in addition to having our friends look for us... I found myself on a dark web search engine called Torch, and then it linked back to a Clearnet search that I found using DuckDuckGo. DuckDuckGo is a lot like Google except it indexes almost everything, including Dark Web .onion URLs. So I was able to not only find my information but verify it on the Clearnet.
Graham Kates: That means I don't even have to have any special software to find out where you've been.
Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Sign up today
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- How to safely access and navigate the Dark Web (TechRepublic)
- IT leader's guide to the Dark Web (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)
Doxing happens when someone publishes private information about a particular person, such as their email address, full name, place of employment, phone number, or physical address with malicious intent. Even if you yourself aren’t the target, most doxes also include personal information about friends and family, including postal addresses and social media accounts.