If you’re a scambaiter, you’ll occasionally run across a scammer who wants you to log in to your bank account. This tutorial will show you how to set up a basic bank website complete with a domain name, all hosted on your own computer. The best part is that it’s compatible with my scambaiting budget at the low low cost of nothing.
IMPORTANT: This tutorial assumes that you have already set up a virtual machine for baiting. If you haven’t set up a virtual machine for baiting, STOP. You shouldn’t be letting scammers remote into your actual machine ever, so get a virtual machine set up first and then come back.
NOTE: This tutorial is aimed at Windows users. Specifically, I’m running Windows 10 on both my actual machine and the virtual machine. If you’re using other OSes, your mileage may vary.
PART I: Things to do on your real machine
Okay maam, I am going to need for you to open Google Chrome and type in this address. The first step is to download the software that allows you to turn your machine into a web server. To get this software, you head over here:
This is the website for XAMPP, a fantastic little webserver-in-a-box that’s pretty much ready to go upon install. Download the installer from the main page, and open it up. Run through all the options. The defaults on everything are just fine. (The only thing I unchecked on the installer was the box to “learn more about XAMPP” on the last install option screen.) It will unpack and install your software. You can go and get a glass of water if you’d like. This will take a moment.
Once the installer is done, go ahead and open the XAMPP control panel. This is where you control what modules are running for your web server using the “Start” buttons on the panel. For our purposes, we only need to start two modules: “Apache” (the web server itself), and “MySQL” for the database we’ll need later on. Start both of these modules, and on the first time you do this, approve their local access through the firewall when prompted.
PROTIP: Remember to turn off these modules when you’re not doing baiting-related stuff to minimize access into your computer.
Now you have a webserver running on your machine. Congratulations! To verify it’s working (and to proceed to the next step), open up your web browser and type “localhost” in the navigation bar and hit enter. You should see a “Welcome to XAMPP” page.
At the top of this page, on the right side, there should be a link marked “phpMyAdmin”. Do one thing and click on the link. This will take you to the php Administration page. From there, on the left hand side there is a column that should have “new” at the top. This is where we’re going to create our bank database. Click on new. On the next page, give your database a memorable name, like “bank”. Hit “create” and bask in the glory.
Now you need a username to access your database. To add one, start by clicking on the “home” button or the phyMyAdmin logo to go to the main page. From there, look for the “user accounts” button on the top right side of the page. (Note: if your window is small, this button gets put into a “hamburger” menu on the right half of the page.)
Below the list of existing users, there’s a link to add a new user account. Click this link. Create your username to access the database here as well as a password. Now maam, be handy with a pen and paper. You will want to write down the username and password you use for setting up the bank later. Once you’ve entered this data, scroll down to where you see a checkbox labeled “Global Privileges” and check this box. This gives the user privileges to everything. Finally, scroll to the bottom and hit “go”, thus creating your user.
With your database and user accounts created, it’s time to install your bank software. For this bank, we’re using Dave Smith Johnson and Son. It’s a baiting bank designed to have most of the features you’ll need to fool your scammers. Fire up ye olde browser and navigate to this link:
The top of the page will have the latest and greatest version of the software. At the time of this tutorial release, the latest version is beta v 0.1.2. I’ll be using this version for the tutorial. At the bottom of the release notes for the most recent version, there’s an “assets” dropdown. Download the most recent zip file from this release (for version 0.1.2 it’s the file “DSJAS-relese-beta.zip”.)
With the bank downloaded, go into your downloads folder and unzip the bank files. Now, on your computer navigate to “c:\xampp\htdocs” (assuming you didn’t change the directory location on install of XAMPP). This folder is where your webserver serves pages from. We need to make room for your bank. Create a new folder and name it something like “old” and drag everything that was in this folder into it. That allows you to restore those pages should something go terribly wrong later.
With all the original files in your web server folder sent to storage, it’s time to put your bank files in there. Go to your unzipped copy of the bank files, open the folder, and drag everything (including folders) from that directory over to the c:\xampp\htdocs directory. Now we’re ready to set up your bank!
Leave the web server folder open and go back into your web browser. Type “localhost” in the URL box and hit enter. If all goes well, you should see the setup page for DSJAS. Besides being the start page for the process, this also creates a file in your webserver folder called “setuptoken.txt”. Go into that file and copy the token. You’ll need it for the next step.
Once you’ve copied the token, go back to the web browser, and at the bottom of the DSJAS page you’ll see a blue link labeled “Continue to verification”. Click that link, and on the next page, paste in your token and hit “confirm”. This will take you to the next page, where you’ll set up the database.
Remember that pen and paper you had handy earlier sir? We need the database name, username, and password now. For your server hostname, enter localhost, and populate the other three fields with the info you took down. Hit the blue “Confirm and setup” button, and if you entered the data correctly, you’ll be magically whisked off to the final step, setting up your admin user account for the bank admin page.
On the left side of this page, you’ll see boxes to fill in your admin username, email, password, and password hint. Fill out all of them. Then on the right, enter the name of your bank. This shows up on the website. Below that, you can leave the URL blank for now. DO NOT check the “disable admin dashboard” option. Scroll to the bottom and hit the blue “Complete Setup” button. Victory! Your bank is set up!
PART II: Setting up and customizing your bank.
This page intentionally left blank.
No, really, there’s some great documentation on the bank, and you can totally learn by reading that and/or experimenting. This tutorial is aimed at getting the bank up and running on your VM, so I’ll skip telling you how your bank should look and leave that up to you. Because you’re good enough, you’re smart enough, and doggonit, people like you.
PART III: Things to do inside your VM
In Part I we set up the bank and got it running on your actual machine. Now we need to find it on your virtual machine and make it look legit. Fire up you’re virtual machine: we’re going in!
Once your VM is loaded, click on the start menu and type “View Network Connections” and press enter. This will open up a window showing you your connection to the Internet. (In my VM it appears as an ethernet connection. Your Mileage may vary.)
Now, do one thing and double click on your network connection, and you should see a button that says “details”. Click on this, and look for the IP address of your IPv4 Default Gateway. On my VM, this address is 10.0.2.2, but I have no idea if that’s universal on all VM’s.
At any rate, from within your virtual machine you can type the default gateway IP address into your browser and so long as your XAMPP server is running on the actual machine, you’ll see your fake bank.
Woo hoo! We found the bank. Now to make the URL look a little more legit. Nobody would fear the dread pirate Westley, and no scammer would believe 10.0.2.2 is your bank’s web address. So it’s time to use our hosts file to give your bank a legit address.
Click on your start menu again, and this time type the word “notepad” but don’t press enter. At the top of the window you’ll see your “Notepad.exe” app. Right click on it, and select “run as administrator”. This will prompt you for the admin password (if any) and open notepad.
Go to File >> Open, and navigate to c:\Windows\System32\drivers\etc. If the folder appears empty, change the “File Type” box to “All Files”. You should see a file named “hosts”. Open this file.
If you don’t know, the hosts file is like a mini DNS that your computer looks at BEFORE hitting the internet to look up an address. This means that you can mask an IP entry to appear as a web URL from this file. In other words, we can take your 10.0.2.2 (or whatever IP address your gateway is at) and turn it into anythingwewant.com.
So for example, if your gateway IP is 10.0.2.2 and you want your bank to show up at the web address “abcbank.com” or “www.abcbank.com” you would add these two lines to the bottom of your hosts file:
10.0.2.2 abcbank.com
10.0.2.2 www.abcbank.com
Save and close your hosts file, and now when you go to a browser in your virtual machine, you should be able to type in the URL you made for your bank and like magic, it takes you to your fake bank. Awesome sauce!
But wait, there’s one problem.
If you do all of this, you might notice that to the left of your bank URL it very plainly says “Not secure” or the like and maybe it even throws a big warning icon. We need to do something about that. There’s a “hard way” (setting up a site certificate) that is technically better, but there’s an easy way to fix this, at least in chrome.
In the chrome browser, open a tab and type in “chrome://flags”. This brings up some neat power tools for the chrome browser. At the top of the page in the search box, type in “insecure”. Now look for the section titled “Insecure origins treated as secure”. This feature will make it far less obvious that your site is not secure. Click the button on the right to enable the feature, then type in the full url’s - including the “http://” part into the textbox. Do this for both the URL with and without the “www” prefix, and separate them with a comma.
With this done, click on the button to relaunch chrome, and go to your URL. Now the “Not Secure” warning is replaced by a much less noticeable icon. It’s still not the little padlock that denotes a secure site, but it’s less likely to be noticed by your scammers peeking in on your virtual machine.
And that’s all there is to it! I know this was a lot of words, so hopefully I didn’t lose you. I’ve been toying with starting a baiting YouTube channel and if I do, I’ll create a video version of this tutorial unless someone better suited beats me to it.
Happy baiting and good luck with each and every thing!