16

I have seen an email which is obvious from the content that it's a phishing/spurious email. However, the personal content is quite revealing and specific to that individual. How could I go about investigating how and where this personal data was 'leaked' from?

A sample of the content/text is:

Dear XXX, Invoice - HWNG6945RYVIZ
NAME SURNAME
1st Line of address
2nd Line of address
County
Postcode
Pass - 1234
I look forward to hearing from you,
Sender's Name

Also worth noting that there is a zip attachment to the email so that's a massive stand out No No that this is dodgy. However, as above the information they do contain is scarily accurate. So where did they get this from?

galoget
  • 1,414
  • 1
  • 9
  • 15
Djuro
  • 169
  • 1
  • 4
  • 8
    It's obviously leaked from whichever site you used that password on. You don't use the same password on different websites, do you? If you do, it's about time you get a password manager. – Philipp May 16 '17 at 15:29
  • 7
    Given the information you've displayed, I'd guess it was "leaked" from the phone book or some other public source of information. I'm not seeing anything in there that's secret. – Mark May 16 '17 at 22:45
  • 4
    Do you own any domain names without privacy options? I get a lot of spam/scams with address information scraped from WHOIS records. – tangrs May 17 '17 at 04:01
  • 1
    At some point over the last few months, someone managed to link my surname and an old postal address with my email address. :( Sux0rs. I wish I'd been more fastidious about using unique email addresses for each online service, because the horse has bolted now and that's that. Absolute scum. :( – Lightness Races in Orbit May 17 '17 at 09:45
  • 6
    Small trick is to identity your email address uniquely when creating an account. E.g. : nukeface+stackoverflow@domain.com or nukeface+security@domain.com, nukeface+somenewsoutlet@domain.com. Anything after the `+` character in an address is ignored per the [RFC standard](https://tools.ietf.org/html/rfc5322). That way, if they send you crap, you see from which site they got the address ;) – rkeet May 17 '17 at 10:32
  • @Nukeface: That’s a feature of *some* mail servers/providers, but not part of the RFC, no? (i.e., it’s not standardized, `+` has no reserved meaning like that) For example, with qmail, it’s typically `-` instead of `+`. – unor May 18 '17 at 21:56
  • @unor it's stated in this [RFC 5322 standard](https://tools.ietf.org/html/rfc5322#section-3.2). Not sure about all allowed chars though. Found that in [this answer](https://webapps.stackexchange.com/a/26057) – rkeet May 19 '17 at 08:08
  • @Nukeface It doesn't always work. IIRC Amazon doesn't allow `+` in the email field – Ploni May 22 '17 at 20:30
  • 1
    Would depend on the builder if they fully implement the standard though @Ploni. So you'd find that some websites, which don't use a standardized library/module/framework/cms, omit the usage of these things as the devs have not read/implemented the standard in their custom build modules/applications. – rkeet May 23 '17 at 07:50

6 Answers6

23

This could be related to almost anything, personal information are sold just like any other "things" on the darkweb and even on the "web" by relatively legal entities, Databrokers are selling personal information just like any other stuff.

In addition to this as @anon said OSINT tools might be used to gather information about persons, and there are lot of such tools (Shodan, Recon-ng, Foca, Maltego ...).

An other way also is the previous data breaches defined as:

"A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so."

You can check if you are victim of a previously known data breach using your email at Have I been pwned.

Hope it helped

Arminius
  • 43,922
  • 13
  • 140
  • 136
Soufiane Tahiri
  • 2,667
  • 12
  • 27
8

One way to check for personal information is by using google. Just insert the string you want to search for and surround it with ". Like "NAME SURNAME". This will display some sites where exactly this match is found. You can check for other personal data from that mail, too. That way you propably can get close to the source of the information leakage.

There is a methodology called Google Dorking where you can get various information by just using google even if you do not have a concrete target. (see: https://en.wikipedia.org/wiki/Google_hacking) There are databases that contain a lot of these dorks. (see: https://www.exploit-db.com/google-hacking-database/)

Another thing to dig deeper in are OSINT (Open Source INTelligence) tools that gather such information from various databases among the internet. Most of these tools are publicly available and integrated in Kali Linux. (https://www.kali.org)

And some people like to look in the past to acquire such information from webservers that were publicly available and are now closed. One source for this information is: https://archive.org/search.php

And since I do not know who your "hacked" person was - It might be, that there are some publicly available social networks where you can get some data from (e.g. facebook, google+, twitter) or even his own homepage where his information are in the "contact"-section or available using whois.

Also consider that there is some person around the "hacked" one that knows those information and just told them to someone else without using super-secure cryptography to keep them private (or may be the attacker himself).

Last but not least there might be a chance where someone in your company leaks those information or is the attacker himself.

Although I hate to think of the last two points, I still think they are possible and probably hard to detect.

anon
  • 386
  • 1
  • 10
5

Your PI (personal information) is your PI, and in the 21st century you can't really avoid to spread it around everywhere. That means when someone has your PI it's hard to find out from where they might have gotten it. In some countries you have a legal right to ask companies to tell you, but that obviously only works if the source of the email is easily identifiable, which is usually not the case with phishers and other criminals.

What I do to identify leaks of my PI is to give every website I use a different email address. You can do that if you register an own domain name and then configure its email server to catch-all. That way all emails which arrive at that domain go to one mailbox and you don't need to create a new email account for every website. Yes, this costs money if you don't need a domain name with a mail server anyway, but not having to endure the advertisement and privacy infractions which come with most free email services is worth the price of admission alone, IMO.

So whenever someone asks me for my email address, I give them an address in the form [theirname]@[mydomain]. When someone wants to phish or spam me, they will usually do that to the email address which came with the dataset, so when I suddenly receive spam on an address which I only gave to a single website, I know who either lost or sold it.

A drawback of this scheme you need to be aware of is that registering a domain means to put your PI into the public WHOIS database. So anyone who realizes that you do this, can find your personal information from your email address. But fully automatic data-miners will usually not be able to connect these dots because they have no way to be sure that you are the only person who uses email addresses for that domain. But if you want to be safe, use a register-by-proxy service.

Philipp
  • 48,867
  • 8
  • 127
  • 157
3

If you are worried that websites where you sign up are leaking your information, one possible way of tracing a leak is by signing up with slightly different names and email addresses to each website.

The easiest way to do this is by changing your middle name. So you would sign up to one website as John A. Djuro, to the next one as John B. Djuro, then John C. Djuro, and so on. The upside of this is that all mail sent to you should still reach you, but you will see when unsolicited mail or email arrives that contains the respective name you used.

For email addresses, you could use separate addresses for each site you sign up with. One possibility of doing this is by registering your own domain as suggested by @Philip in another answer. Also, some freemail providers allow you to modify your address and still receive all the messages. In the received message, you will then see the address to which the message is sent. For example, if you have a GMail account you can add a plus sign and any string you want to your address. So, if you own djuro@gmail.com, you could sign up with djuro+fishywebservice@gmail.com to some site and would still receive their emails. See GMail help here, the bottom section on "Use Gmail aliases".

However, once you have that information, there is not a lot that you can do with it. When confronted with the allegation of selling your data, no company in its right mind would confirm that they do it and you would probably have a hard time finding hard evidence against them. The only thing you can do is terminating your business relationship with them, but this will still not un-leak your personal information.

Chris
  • 652
  • 6
  • 12
  • Wouldn't signing up with fake middle name potentially lead to some legal problems? – Dragomok May 17 '17 at 10:57
  • @Dragomok It probably depends on where you do it. I wouldn't recommend it when signing up for important stuff such as banking or insurance, but any random shop or community is unlikely to really care. – Chris May 17 '17 at 10:59
2

You can start looking at the topic such as digital footprints. For a simple start, you can google your name and ZIP code.

There are many ways that a person may leak their own information voluntary, i.e.

  • Facebook (when you play with those "profile yourself as something" fake games)
  • Linkedin (your name and company address)
  • "FREE" contents subscription

Possible involuntary leaks:

  • compromised online shop
  • infected machine
  • login through insecure Public WIFI
mootmoot
  • 2,387
  • 10
  • 16
2

You don't.

I have a "send spam here" email address I use for precisely this reason. If I need to register at a site that feels the slightest bit spammy or dodgy, I give them that email, which I never read except to get at a specific message, i.e. the registration confirmation from the site.