Probiv: The missing pieces to a cybercriminal’s puzzleNovember 26, 2019
A husband wants to find out who owns the unknown number that’s been ringing his wife’s cell phone late at night. A private detective needs to track the location of the missing person they’ve been tasked to find. A fraudster would like to obtain a bank account holder’s passport details for an elaborate scam designed to steal the victim’s savings.
In any typical circumstance, that missing piece of information would be difficult to track down, and rightly so: This data is categorized as personally identifiable information (PII), and entities holding this type of data must protect it accordingly. But in the cybercriminal underground, there’s a service (and even a dedicated platform) that enables anyone to obtain sensitive information via insiders: Probiv.
What is probiv?
Probiv is a Russian-language slang term best translated as “look-up”. It describes a service offered mainly on Russian-language cybercriminal platforms in which a user provides a piece of personal data belonging to an individual and—in return for a fee—receives other information associated with this target. The service is incredibly common, and vendors offering such deals can be found in dedicated sections on cybercriminal platforms frequented by beginners as well as on gated sites offering exclusive content for the most serious threat actors. Alongside these forums, the Russian-language cybercriminal community has even developed a dedicated platform, “Probiv” (original name, right?), that boasts over 600,000 posts and almost 50,000 members. Established in 2014, this dedicated platform illustrates the need within the Russian-language cybercriminal landscape for centralized hubs with specialized, even premium, offerings—in much the same way as dedicated carding or coding forums exist.
Figure 1: Screenshot from the Probiv forum
Probiv Forum: What’s being offered?
The type of information that can be obtained depends on the nature of the initial piece of data submitted as well as the specific service with which the buyer engages. Offerings can range from exclusive access to passport agencies (which would allow a user to obtain details of the victim’s address or date or birth etc.) to account holder details for a financial service or data from telecommunications companies revealing the location of a cell phone owner. Service providers usually advertise a range of specialized offerings that draw on specific sources, including telecommunications companies, state agencies, and banks.
For example, Digital Shadows observed one vendor on a well-known Russian-language cybercriminal platform claiming to offer information from the Russian telecommunications providers MTS, Megafon, Tele2, Rostelekom, Motiv, and Yota, as well as data from unnamed banks, the Russian tax service, traffic police, and internal affairs ministry (Figure 2).
Figure 2: Screenshot showing post offering probiv services on Russian-language forum
How does probiv work?
Forum posts and investigative journalists have suggested that sourcing such sensitive information in the Russian-language cybercriminal community is facilitated via employees using their privileged position to perform searches on internal systems to obtain data requested by the forum vendors, who act as intermediaries. As such, probiv differs from look-ups that use historic leaked databases to perform searches: Probiv vendors can offer real-time, up-to-date information belonging to the target as long as their sources are still employed by an organization.
For example, one vendor on a prominent Russian-language forum uses data from cell phone companies to offer buyers the ability to:
- Find out the identity of the owner of a cell phone number
- Receive the number’s call/SMS records
- Geolocate the phone using phone mast triangulation
The same vendor draws on government data to offer:
- Passport information
- Driver’s license information
- Vehicle ownership
- Marital status
- Criminal records
- Travel history
- Real estate purchases
- Company employee lists
- Tax records
The vendor also uses banks’ records to obtain information on bank cards and accounts, including the balance, withdrawals and payments, statements, and code words to access the account. Prices vary depending on the sensitivity and scope of the information requested, ranging from RUB 600 to 5000 (USD 9.39 to 78.25 at the time of writing).
In order to purchase a probiv lookup, a buyer must contact a vendor with a specific piece of information belonging to the victim and outline their requirements as to the additional data they need. Vendors usually provide multiple contact details for this initial contact, including forum private message, Jabber IDs, or Telegram handles.
Why choose probiv?
Buyers looking for cell phone data may wish to track a missing person or estranged lover. Buyers seeking bank data may want to conduct financial fraud. The motivations vary depending on circumstance.
The incentives for the seller or the criminal employee are less personally driven and more financially motivated. Especially in Russian-speaking countries, where wages tend to be lower than in other European nations, engaging in probiv services may provide valuable additional income. However, probiv isn’t a scalable solution: Given the manual nature of the scheme, services can only handle small numbers of requests at any one time. The process also relies on a ready supply of willing employees prepared to jeopardize their positions within an organization.
What about the English-language scene?
The English-language cybercriminal scene tends to take its inspiration from the Russian-language community, and frequently follows where the latter leads. As such, probiv has historically been much more common on Russian-language cybercriminal platforms than English-language ones, which have traditionally hosted similar, but much more limited offerings. Digital Shadows has observed limited instances of users on English-language cybercriminal platforms selling a personalized, up-to-date probiv service.
In terms of makeup, the major difference between these offerings and the Russian-language probiv scene is that the English-language functionalities tend to be automated or self-service: They offer users the ability to search on their own, rather than providing their criteria to a vendor who makes the enquiries. The information available likely draws on existing databases, rather than offering real-time intelligence.
Probiv on AVCs
For instance, some English-language automated vending cart (AVC) sites selling credit/debit card information feature a small subsection that allows users to search for a social security number or date of birth associated with a name, likely drawn from data stored in the site’s collection of credit card information. A now-defunct dedicated site called SSNDOB served the same function. Many users on English-language platforms also offer services to parse the databases they possess for specific criteria.
Probiv on forums
In April 2019, a user on Hackforums—generally seen as the domain of beginners and script kiddies—offered to use their privileged position working in a telecommunications company’s call center to perform searches on internal systems and provide information about cell phone owners. In August 2019, a user on the recently launched English-language forum Torum offered to perform probiv look-ups in systems belonging to an insurance company to which they allegedly had access. In this instance, if the buyer could provide specific data such as a victim’s email address, the vendor would provide the victim’s personal data, including telephone numbers, physical addresses, full names, social security numbers, medical history, and United States immigration status.
Figure 3: User offering probiv-like services on Torum
Notably, these real-time, customized probiv services offered on English-language platforms are extremely limited and specific: Vendors who find themselves with privileged access to a company’s internal systems can perform look-ups within that organization. However, if buyers’ targets are not customers of that company, the look-up will be unsuccessful. In contrast, Russian-language vendors can use an entire network of banks, telecommunications companies, and government agencies to return substantive results for their buyers. An English-language vendor offering an entire range of sources within one service would likely be regarded with suspicion by forum members, who may view the offering as a potential honeypot.
What accounts for these differences?
- Regulation: In general, data privacy crimes are more regularly prosecuted in Western and English-speaking nations than in Russian-speaking countries. According to a recent BBC Russia investigation into the phenomenon of probiv, only 49 sentences were given to individuals engaged in probiv in Russia in 2018. English-speaking nations typically regard violations of privacy as more serious and socially harmful, meaning cybercriminals operating on English-language forums may feel more at threat of being targeted by law enforcement. At an organizational level, the introduction of European Union (EU) privacy legislation General Data Protection Regulation (GDPR) brings about greater responsibilities (and big fines) for organizations to protect customer data in terms of compliance, notification and regulation
- Wages: Lower wages in Russian-speaking nations may cause employees to view taking advantage of their paid position as a more attractive option, despite the risks that this engenders.
- Forum stability: The English-language cybercriminal scene is much more fragmented than its Russian-language counterpart. English-language forums are characterized by a “whack-a-mole” tendency in that forums and marketplaces frequently disappear due to exit scams or law enforcement disruption only for new sites to spring up to take their place. The Russian-language cybercriminal scene is remarkably stable, which allows sites and vendors to build up reputations in offering specific services. Moreover, the international nature of English as a lingua franca means that users on English-speaking forums often hail from diverse jurisdictions and may not necessarily have access to systems that would be attractive to the site’s user base.
- Forum identity: English-language cybercriminal forums often suffer from a lack of identity and discipline. This type of activity either goes unnoticed because it is included in the wrong subsections, or because the forum doesn’t have a large enough audience that is specifically interested in this type of offering to make it as viable a business as on the Russian-language side.
The future of probiv
Perhaps due to the scarcity of high-value probiv offerings in English-language forums, English speakers have increasingly been turning to Russian-language forums to request these look-up services. Recently, Digital Shadows observed (Figure 4) a user on a Russian-language forum looking for driver’s license look-ups for US states and another looking to find bank account information associated with individuals’ names. However, such requests tend to go unanswered, likely due to the lack of available information for citizens of Western nations compared to those from former Soviet Union countries. Even if the English-language scene improves its stability and the quality of the offerings that vendors advertise, it is unlikely that the probiv scene will begin to flourish on English-language platforms. Such a development would require dozens of willing individuals to participate in probiv networks. The market for real-time individualized look-ups on Russian-language platform is, in contrast, unlikely to diminish in the near future.
Figure 4: User on Russian-language forum looking for driver’s license look-ups for US states
What can you do to mitigate the threat of probiv?
To avoid becoming the victim of probiv, here are some steps you can take that may help reduce the risk of falling foul to this particular cybercrime:
- Prepare yourself and mitigate data leakage with system controls or fine grain security to ensure you are handling and managing data effectively
- Protect yourself from data leakage with secure portals, ensuring your infrastructure is not inadvertently leaking data
- Ensure compliance with data protection regulations
- Respond to data leakage by managing your response to violations or instances of data leakage effectively and swiftly
To stay up to date with more dark web trends and threat intelligence updates, subscribe to our newsletter below.