Hi everyone!
If you are just getting into scambaiting, the easiest thing to do is just call scammers and
mess around with them. If you want to collect information from them, it gets a little more
complicated. But where you start getting into potentially dangerous territorial is when
scammers start to try and control your computer. This is particularly relevant and is how
they make even more money off you. They show you some innocuous error messages and claim
your computer is riddled with malware and that you need to buy their malware cleanup
tool/service. This is of course not true, and their malware cleanup tools are usually just
malware themselves. These can be some fun scammers to mess with, but you need to be very
careful with how you screenshare.
Obviously, you do not want to let scammers onto your real computer, the usual answer for
this is to use a Virtual Machine (VM). We have discussed methods of this in previous
articles, but I am going to talk about some specifics. Our preferred VM client is VMWare,
but you can use any that you want.
The absolute number 1 priority with VMs is security. It doesn't matter how realistic your VM
is, if it leaks your information or somehow makes you unsafe and vulnerable to scammers, it
is a bad VM. It is a good idea to disable all the helpful tools that VM companies have to
make them easier to use. For example, you can frequently setup shared filesystem between the
host machine and the VM, or even share your clipboard so you can copy and paste between the
two. When it comes ot setting up a secure VM, these are both a bad idea. They open up more
avenues of attack for a skilled scammer to hack your computer and/or escape the VM. VM
escapes are not common, and the known vulnerabilities get patched very quickly, but it's the
unknown vulnerabilities that are scary.
The next step, which is just crucial as making sure scammers can't hack out of the VM is to
make sure there are no identifying pieces of personal information in the VM. Everything from
the username that shows on the screen to the timezone you are currently in is a potential
piece of information a dedicated scammers could put together to identify you. The less
information they have about you, the better.
Once you have a secure machine, the optional step is to remove any indication you are
running in a VM. This is very difficult to do. VMs essentially work the way the name
suggests, they virtualize everything. Your VM does not have a real display, it has a
virtual display. That means that the device driver that translate softwatre signals to the
hardware for your display also must be virtual, so that software can run unmodified.
Typically, these device drivers have names like "VMWare Display Driver Version X.Xx". An
experienced scammer will pick up on this very quickly and realize you are running inside a
VM. To combat this, you can to certain extents rename these drivers to something more
generic. All you are changing is the display name, so it shouldn't impact the functionality
of your VM.
You can modify these display by trolling through the Window's Registry and changing anything
VM specific to generic. BE VERY CAREFUL while doing this, as messing the wrong thing
up in the Registry could brick your computer. Definitely do not do this on your host machine
unless you really know what you are doing, in the VM the risk is slightly lower because if
you mess up the worst that happens is you delete the VM and start over. It's a pain, but
it's better than destroying your real computer.
There are many tutorials out there to make your VM more secure and undetectable, I leave
finding these to you. The last thing I will leave you with is the extra step we take to be
even more secure. We do not run VMs on our real host machines, we have an old laptop that
serves the sole purpose of being a host machine for our VMs. This provides another layer of
protection between the scammers and our precious data.
Happy scambaiting!
j-braham