Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
A husband wants to find out who owns the unknown number that’s been ringing his wife’s cell phone late at night. A private detective needs to track the location of the missing person they’ve been tasked to find. A fraudster would like to obtain a bank account holder’s passport details for an elaborate scam designed to steal the victim’s savings.
In any typical circumstance, that missing piece of information would be difficult to track down, and rightly so: This data is categorized as personally identifiable information (PII), and entities holding this type of data must protect it accordingly. But in the cybercriminal underground, there’s a service (and even a dedicated platform) that enables anyone to obtain sensitive information via insiders: Probiv.
Probiv is a Russian-language slang term best translated as “look-up”. It describes a service offered mainly on Russian-language cybercriminal platforms in which a user provides a piece of personal data belonging to an individual and—in return for a fee—receives other information associated with this target. The service is incredibly common, and vendors offering such deals can be found in dedicated sections on cybercriminal platforms frequented by beginners as well as on gated sites offering exclusive content for the most serious threat actors. Alongside these forums, the Russian-language cybercriminal community has even developed a dedicated platform, “Probiv” (original name, right?), that boasts over 600,000 posts and almost 50,000 members. Established in 2014, this dedicated platform illustrates the need within the Russian-language cybercriminal landscape for centralized hubs with specialized, even premium, offerings—in much the same way as dedicated carding or coding forums exist.
Figure 1: Screenshot from the Probiv forum
The type of information that can be obtained depends on the nature of the initial piece of data submitted as well as the specific service with which the buyer engages. Offerings can range from exclusive access to passport agencies (which would allow a user to obtain details of the victim’s address or date or birth etc.) to account holder details for a financial service or data from telecommunications companies revealing the location of a cell phone owner. Service providers usually advertise a range of specialized offerings that draw on specific sources, including telecommunications companies, state agencies, and banks.
For example, Digital Shadows (now ReliaQuest) observed one vendor on a well-known Russian-language cybercriminal platform claiming to offer information from the Russian telecommunications providers MTS, Megafon, Tele2, Rostelekom, Motiv, and Yota, as well as data from unnamed banks, the Russian tax service, traffic police, and internal affairs ministry (Figure 2).
Figure 2: Screenshot showing post offering probiv services on Russian-language forum
Forum posts and investigative journalists have suggested that sourcing such sensitive information in the Russian-language cybercriminal community is facilitated via employees using their privileged position to perform searches on internal systems to obtain data requested by the forum vendors, who act as intermediaries. As such, probiv differs from look-ups that use historic leaked databases to perform searches: Probiv vendors can offer real-time, up-to-date information belonging to the target as long as their sources are still employed by an organization.
For example, one vendor on a prominent Russian-language forum uses data from cell phone companies to offer buyers the ability to:
The same vendor draws on government data to offer:
The vendor also uses banks’ records to obtain information on bank cards and accounts, including the balance, withdrawals and payments, statements, and code words to access the account. Prices vary depending on the sensitivity and scope of the information requested, ranging from RUB 600 to 5000 (USD 9.39 to 78.25 at the time of writing).
In order to purchase a probiv lookup, a buyer must contact a vendor with a specific piece of information belonging to the victim and outline their requirements as to the additional data they need. Vendors usually provide multiple contact details for this initial contact, including forum private message, Jabber IDs, or Telegram handles.
Buyers looking for cell phone data may wish to track a missing person or estranged lover. Buyers seeking bank data may want to conduct financial fraud. The motivations vary depending on circumstance.
The incentives for the seller or the criminal employee are less personally driven and more financially motivated. Especially in Russian-speaking countries, where wages tend to be lower than in other European nations, engaging in probiv services may provide valuable additional income. However, probiv isn’t a scalable solution: Given the manual nature of the scheme, services can only handle small numbers of requests at any one time. The process also relies on a ready supply of willing employees prepared to jeopardize their positions within an organization.
The English-language cybercriminal scene tends to take its inspiration from the Russian-language community, and frequently follows where the latter leads. As such, probiv has historically been much more common on Russian-language cybercriminal platforms than English-language ones, which have traditionally hosted similar, but much more limited offerings. Digital Shadows (now ReliaQuest) has observed limited instances of users on English-language cybercriminal platforms selling a personalized, up-to-date probiv service.
In terms of makeup, the major difference between these offerings and the Russian-language probiv scene is that the English-language functionalities tend to be automated or self-service: They offer users the ability to search on their own, rather than providing their criteria to a vendor who makes the enquiries. The information available likely draws on existing databases, rather than offering real-time intelligence.
For instance, some English-language automated vending cart (AVC) sites selling credit/debit card information feature a small subsection that allows users to search for a social security number or date of birth associated with a name, likely drawn from data stored in the site’s collection of credit card information. A now-defunct dedicated site called SSNDOB served the same function. Many users on English-language platforms also offer services to parse the databases they possess for specific criteria.
In April 2019, a user on Hackforums—generally seen as the domain of beginners and script kiddies—offered to use their privileged position working in a telecommunications company’s call center to perform searches on internal systems and provide information about cell phone owners. In August 2019, a user on the recently launched English-language forum Torum offered to perform probiv look-ups in systems belonging to an insurance company to which they allegedly had access. In this instance, if the buyer could provide specific data such as a victim’s email address, the vendor would provide the victim’s personal data, including telephone numbers, physical addresses, full names, social security numbers, medical history, and United States immigration status.
Figure 3: User offering probiv-like services on Torum
Notably, these real-time, customized probiv services offered on English-language platforms are extremely limited and specific: Vendors who find themselves with privileged access to a company’s internal systems can perform look-ups within that organization. However, if buyers’ targets are not customers of that company, the look-up will be unsuccessful. In contrast, Russian-language vendors can use an entire network of banks, telecommunications companies, and government agencies to return substantive results for their buyers. An English-language vendor offering an entire range of sources within one service would likely be regarded with suspicion by forum members, who may view the offering as a potential honeypot.
What accounts for these differences?
Perhaps due to the scarcity of high-value probiv offerings in English-language forums, English speakers have increasingly been turning to Russian-language forums to request these look-up services. Recently, Digital Shadows (now ReliaQuest) observed (Figure 4) a user on a Russian-language forum looking for driver’s license look-ups for US states and another looking to find bank account information associated with individuals’ names. However, such requests tend to go unanswered, likely due to the lack of available information for citizens of Western nations compared to those from former Soviet Union countries. Even if the English-language scene improves its stability and the quality of the offerings that vendors advertise, it is unlikely that the probiv scene will begin to flourish on English-language platforms. Such a development would require dozens of willing individuals to participate in probiv networks. The market for real-time individualized look-ups on Russian-language platform is, in contrast, unlikely to diminish in the near future.
Figure 4: User on Russian-language forum looking for driver’s license look-ups for US states
To avoid becoming the victim of probiv, here are some steps you can take that may help reduce the risk of falling foul to this particular cybercrime:
To stay up to date with more dark web trends and threat intelligence updates, subscribe to our newsletter below.