Doxxing the Billionaires
Even the moneyed elite is easily doxxed. An example.
A year or so ago I stumbled upon this billionaire guy and thought: What information could this well-protected guy possibly still have floating around on the internet? It turned out, it was a lot. Compromising information even. The video summarizes what information I found and how this private information presents a security threat.
I have picked a random billionaire, who is most definitely on this list,
and checked to see what information I can gather about him and, as a fictitious bad guy, see how I can use this information to harm the person or realize a financial gain. This is a very real person who is alive but of course I am not going to reveal his identity here. We’ll call him Wilbert McLegacy. Some details of the information, like passwords, emails, and exact addresses, have been changed to conceal his real identity. But the point is that any skilled investigator can find this information from openly available sources. I have not even paid a single cent to access or collect this information. Anyone who cares to look will have access to this information which, and I will show how, presents a security risk to that particular billionaire.
Wilbert is currently the CEO of a large multi-national retail business, a Fortune 500 company publicly-traded on the stock exchange. He inherited this position from his father, who in turn inherited it from the grandfather. Therefore Wilbert comes from generational wealth, and grew up lacking nothing, rarely being told “no”. This is an important security issue explained later.
Starting with public news stories and interviews of Wilbert McLegacy, I find that he married in August 2015 and has two kids. Approximate birthdates of the kids are gleaned from proud relatives on Instagram and the number of children in news articles over time.
Wilbert was sent to a university in London to study business and was handed the reigns to the company shortly after his return from the study program. He is a conservative catholic steeped in traditional values.
Looking at his LinkedIn profile, I check several scraped databases, which reveal two associated email addresses. Firstname.lastname@company.com and FirstLast@hotmail.com. Why is this not a good idea? These email addresses are easily guessable and are invariably associated with him and his activities. If you’re a billionaire you’ll have a lot of people trying to contact you. There are a number of methods to keep the email safe. Even throwing some random numbers onto these email addresses will block maybe 90% of crazy people and leave time and money to deal with the more determined threat actors.
The email addresses turn out to be associated with data in several leak databases. These always change or get shut down. Some people just make their own by collecting the files released from breaches, leaks and hacks that are not hard to find once you know where to look.
I check the email addresses against a WhoIS database of historical web domain owners and find that he registered a now expired domain. WilbertMcLegacy.com Only one email turns out to be associated with this domain WM@WilbertMcLegacy.com. Not very subtle. This email in turn pops up in the leak data base of the extramarital affairs website Adult Friend Finder, something his catholic family would surely disapprove of.
A threat actor could be anyone: A revengeful ex girlfriend, an unscrupulous businessman, a ransomware group, or even a nation state. This information would be like striking gold and could be used, for example, to extract a favourable business deal from Wilbert’s company.
Even more harrowingly, I find that Wilbert has used his official and guessable company email to order food to his private residence using his cell phone number in the process. Through other undisclosed means I was able to confirm that this was indeed his actual main residence and currently active mobile phone number. I have it stored in my contacts and occasionally check his WhatsApp status.
Rival business groups with few ethics concerns may attempt to clone that number and gain access to valuable business data or to initiate a costly ransomware attack on his company. Ransomware costs usually extend far beyond the price of the ransom. Companies of similar size and exposure to his have paid upwards of 50 million dollars to deal with such an incident.
But now we also have his home address where his wife and kids live. Although kidnappings have fallen out of favor with criminal groups, the information can be used to initiate a confidence scam. I analyze the address in the small town he lives in and realize there is only one elementary school, and only one large park and playground for his small kids to play on in public. Presumably the family can be found there at times and one could use the information to befriend the family with nefarious purposes. A streetview image of the house shows garbage cans placed in a way that would make climbing the extra-high fence a breeze on pick-up day. All this knowledge because of the food order from the business email address.
Worse yet, the grandma appears to be a chatty Cathy and has revealed the names of the children in a charity blog article from several years ago.
Altogether I come up with 6 current and former email addresses. For several of these I find associated passwords on the darknet. The schema of the passwords suggests a relatively simple or hackable pattern. Because the company is publicly traded, another threat actor could be a short seller, trying to bring false information into circulation by gaining access to the company’s social media accounts or the CEO’s email account to trigger a short-lived, albeit profitable, stock price drop.
To complete this doxxing exercise I also investigated this billionaire’s wife and his executive assistant in the same way I have shown here. The reason is that they might present an easier attack vector. And that’s how you doxx a billionaire.
This man has unwittingly exposed himself, his family, and his business to threat actors by leaving this information freely available on the internet. This person very very likely already has a security team in place. So why, despite all the available resources, is this information still accessible? Billionaires have the challenge that everyone wants a piece of their pie. Requests for money and business become old fast, so security contracts are put out for bid in order to get more reasonable quotes. Then, a security company is hired. This company wants to keep the contract long-term and not upset their customer. Are they going to tell him about the extramarital affair website? Maybe, but it’s an uncomfortable situation that will likely be avoided. Are they going to tell him he can’t use his business email for private purposes anymore? Maybe even tell him to get a dual SIM card cell phone? Some of these very wealthy customers do not react well to being told that they cannot do something, or that they have to change an ingrained habit. A contract for removing or securing this openly available information may have even been offered but turned down by the customer for financial or personal reasons.
It's a unique challenge and billionaires, whose best bet is obscurity, may have to think twice about leaving the fate of this digital information up to chance.