How to set up your very own fake bank website, right on your own machine

If you’re a scambaiter, you’ll occasionally run across a scammer who wants you to log in to your bank account. This tutorial will show you how to set up a basic bank website complete with a domain name, all hosted on your own computer. The best part is that it’s compatible with my scambaiting budget at the low low cost of nothing.

IMPORTANT: This tutorial assumes that you have already set up a virtual machine for baiting. If you haven’t set up a virtual machine for baiting, STOP. You shouldn’t be letting scammers remote into your actual machine ever, so get a virtual machine set up first and then come back.

NOTE: This tutorial is aimed at Windows users. Specifically, I’m running Windows 10 on both my actual machine and the virtual machine. If you’re using other OSes, your mileage may vary.

PART I: Things to do on your real machine

Okay maam, I am going to need for you to open Google Chrome and type in this address. The first step is to download the software that allows you to turn your machine into a web server. To get this software, you head over here:

This is the website for XAMPP, a fantastic little webserver-in-a-box that’s pretty much ready to go upon install. Download the installer from the main page, and open it up. Run through all the options. The defaults on everything are just fine. (The only thing I unchecked on the installer was the box to “learn more about XAMPP” on the last install option screen.) It will unpack and install your software. You can go and get a glass of water if you’d like. This will take a moment.

Once the installer is done, go ahead and open the XAMPP control panel. This is where you control what modules are running for your web server using the “Start” buttons on the panel. For our purposes, we only need to start two modules: “Apache” (the web server itself), and “MySQL” for the database we’ll need later on. Start both of these modules, and on the first time you do this, approve their local access through the firewall when prompted.

PROTIP: Remember to turn off these modules when you’re not doing baiting-related stuff to minimize access into your computer.

Now you have a webserver running on your machine. Congratulations! To verify it’s working (and to proceed to the next step), open up your web browser and type “localhost” in the navigation bar and hit enter. You should see a “Welcome to XAMPP” page.

At the top of this page, on the right side, there should be a link marked “phpMyAdmin”. Do one thing and click on the link. This will take you to the php Administration page. From there, on the left hand side there is a column that should have “new” at the top. This is where we’re going to create our bank database. Click on new. On the next page, give your database a memorable name, like “bank”. Hit “create” and bask in the glory.

Now you need a username to access your database. To add one, start by clicking on the “home” button or the phyMyAdmin logo to go to the main page. From there, look for the “user accounts” button on the top right side of the page. (Note: if your window is small, this button gets put into a “hamburger” menu on the right half of the page.)

Below the list of existing users, there’s a link to add a new user account. Click this link. Create your username to access the database here as well as a password. Now maam, be handy with a pen and paper. You will want to write down the username and password you use for setting up the bank later. Once you’ve entered this data, scroll down to where you see a checkbox labeled “Global Privileges” and check this box. This gives the user privileges to everything. Finally, scroll to the bottom and hit “go”, thus creating your user.

With your database and user accounts created, it’s time to install your bank software. For this bank, we’re using Dave Smith Johnson and Son. It’s a baiting bank designed to have most of the features you’ll need to fool your scammers. Fire up ye olde browser and navigate to this link:

The top of the page will have the latest and greatest version of the software. At the time of this tutorial release, the latest version is beta v 0.1.2. I’ll be using this version for the tutorial. At the bottom of the release notes for the most recent version, there’s an “assets” dropdown. Download the most recent zip file from this release (for version 0.1.2 it’s the file “DSJAS-relese-beta.zip”.)

With the bank downloaded, go into your downloads folder and unzip the bank files. Now, on your computer navigate to “c:\xampp\htdocs” (assuming you didn’t change the directory location on install of XAMPP). This folder is where your webserver serves pages from. We need to make room for your bank. Create a new folder and name it something like “old” and drag everything that was in this folder into it. That allows you to restore those pages should something go terribly wrong later.

With all the original files in your web server folder sent to storage, it’s time to put your bank files in there. Go to your unzipped copy of the bank files, open the folder, and drag everything (including folders) from that directory over to the c:\xampp\htdocs directory. Now we’re ready to set up your bank!

Leave the web server folder open and go back into your web browser. Type “localhost” in the URL box and hit enter. If all goes well, you should see the setup page for DSJAS. Besides being the start page for the process, this also creates a file in your webserver folder called “setuptoken.txt”. Go into that file and copy the token. You’ll need it for the next step.

Once you’ve copied the token, go back to the web browser, and at the bottom of the DSJAS page you’ll see a blue link labeled “Continue to verification”. Click that link, and on the next page, paste in your token and hit “confirm”. This will take you to the next page, where you’ll set up the database.

Remember that pen and paper you had handy earlier sir? We need the database name, username, and password now. For your server hostname, enter localhost, and populate the other three fields with the info you took down. Hit the blue “Confirm and setup” button, and if you entered the data correctly, you’ll be magically whisked off to the final step, setting up your admin user account for the bank admin page.

On the left side of this page, you’ll see boxes to fill in your admin username, email, password, and password hint. Fill out all of them. Then on the right, enter the name of your bank. This shows up on the website. Below that, you can leave the URL blank for now. DO NOT check the “disable admin dashboard” option. Scroll to the bottom and hit the blue “Complete Setup” button. Victory! Your bank is set up!

PART II: Setting up and customizing your bank.

This page intentionally left blank.

No, really, there’s some great documentation on the bank, and you can totally learn by reading that and/or experimenting. This tutorial is aimed at getting the bank up and running on your VM, so I’ll skip telling you how your bank should look and leave that up to you. Because you’re good enough, you’re smart enough, and doggonit, people like you.

PART III: Things to do inside your VM

In Part I we set up the bank and got it running on your actual machine. Now we need to find it on your virtual machine and make it look legit. Fire up you’re virtual machine: we’re going in!

Once your VM is loaded, click on the start menu and type “View Network Connections” and press enter. This will open up a window showing you your connection to the Internet. (In my VM it appears as an ethernet connection. Your Mileage may vary.)

Now, do one thing and double click on your network connection, and you should see a button that says “details”. Click on this, and look for the IP address of your IPv4 Default Gateway. On my VM, this address is 10.0.2.2, but I have no idea if that’s universal on all VM’s.

At any rate, from within your virtual machine you can type the default gateway IP address into your browser and so long as your XAMPP server is running on the actual machine, you’ll see your fake bank.

Woo hoo! We found the bank. Now to make the URL look a little more legit. Nobody would fear the dread pirate Westley, and no scammer would believe 10.0.2.2 is your bank’s web address. So it’s time to use our hosts file to give your bank a legit address.

Click on your start menu again, and this time type the word “notepad” but don’t press enter. At the top of the window you’ll see your “Notepad.exe” app. Right click on it, and select “run as administrator”. This will prompt you for the admin password (if any) and open notepad.

Go to File >> Open, and navigate to c:\Windows\System32\drivers\etc. If the folder appears empty, change the “File Type” box to “All Files”. You should see a file named “hosts”. Open this file.

If you don’t know, the hosts file is like a mini DNS that your computer looks at BEFORE hitting the internet to look up an address. This means that you can mask an IP entry to appear as a web URL from this file. In other words, we can take your 10.0.2.2 (or whatever IP address your gateway is at) and turn it into anythingwewant.com.

So for example, if your gateway IP is 10.0.2.2 and you want your bank to show up at the web address “abcbank.com” or “www.abcbank.com” you would add these two lines to the bottom of your hosts file:

10.0.2.2 abcbank.com
10.0.2.2 www.abcbank.com

Save and close your hosts file, and now when you go to a browser in your virtual machine, you should be able to type in the URL you made for your bank and like magic, it takes you to your fake bank. Awesome sauce!

But wait, there’s one problem.

If you do all of this, you might notice that to the left of your bank URL it very plainly says “Not secure” or the like and maybe it even throws a big warning icon. We need to do something about that. There’s a “hard way” (setting up a site certificate) that is technically better, but there’s an easy way to fix this, at least in chrome.

In the chrome browser, open a tab and type in “chrome://flags”. This brings up some neat power tools for the chrome browser. At the top of the page in the search box, type in “insecure”. Now look for the section titled “Insecure origins treated as secure”. This feature will make it far less obvious that your site is not secure. Click the button on the right to enable the feature, then type in the full url’s - including the “http://” part into the textbox. Do this for both the URL with and without the “www” prefix, and separate them with a comma.

With this done, click on the button to relaunch chrome, and go to your URL. Now the “Not Secure” warning is replaced by a much less noticeable icon. It’s still not the little padlock that denotes a secure site, but it’s less likely to be noticed by your scammers peeking in on your virtual machine.

And that’s all there is to it! I know this was a lot of words, so hopefully I didn’t lose you. I’ve been toying with starting a baiting YouTube channel and if I do, I’ll create a video version of this tutorial unless someone better suited beats me to it.

Happy baiting and good luck with each and every thing!

8 Likes

Excellent instructions, advice to others is to read instructions at least once before attempting and google will be your bestfriend if you hit snag. I’m still halfway installing and will finish after shopping.

2 Likes

Great tutorial. I’ll be sharing this one around.

2 Likes

Thanks!

The other thing I almost threw in here was that when you set up your site you can Google “favicon generator” to find sites that will create the favicon for your browser tab. Once you create the file, just drop it into your web server folder and your good to go.

If I had put any advice on Part II about customizing the bank, I’d say change all the graphics and the wording if you’re comfortable editing the php pages. Make it your own, because if suddenly 500 identical banks with different names pop up in their calls, scammers will eventually catch on.

1 Like

Ooh a nice little guide, thanks for posting this since a lot of people are looking for fake banks.

1 Like

So how do you set up the Bank? I see you left it blank on purpose but I don’t know where to get started really.

1 Like

It’s listed on the thing he linked to.

what ever i click past step 1 i get Fatal error: Uncaught mysqli_sql_exception: Access denied for user ‘’@‘localhost’ (using password: NO) in C:\xampp\htdocs\include\install\Utils.php:149 Stack trace: #0 C:\xampp\htdocs\include\install\Utils.php(149): mysqli_connect(’’, ‘’, ‘’) #1 C:\xampp\htdocs\admin\install\final.php(27): handleDBVerification() #2 {main} thrown in C:\xampp\htdocs\include\install\Utils.php on line 149

This may be your issue. Also, your other issue could be that you don’t have a mysqli database.

how would i fix this? im not the best at this, sorry

When you set up XAMPP, was there anything about mysqli?

no, i just reinstalled it and it didnt ask for me that either

@SpamInaCan Did you do this?

everything works up to here but now i cant seet the fake bank

I’m confused with this portion of moving stuff around because when i do it, all i get is a 500 error when i type in local host [quote=“JustAnotherJim, post:1, topic:87878”]
Create a new folder and name it something like “old” and drag everything that was in this folder into it. That allows you to restore those pages should something go terribly wrong later.

With all the original files in your web server folder sent to storage, it’s time to put your bank files in there. Go to your unzipped copy of the bank files, open the folder, and drag everything (including folders) from that directory over to the c:\xampp\htdocs directory. Now we’re ready to set up your bank!

Leave the web server folder open and go back into your web browser. Type “localhost” in the URL box and hit enter. If all goes well, you should see the setup page for DSJAS.
[/quote]

1 Like

Howdy! The fix for me on this was to move the apache DocumentRoot that it reads from C:\xampp\htdocs to a separate folder outside of the xampp folder. I pointed mine to C:\DSJAS-release-beta in that folder is just all the DSJAS extracted files. Then to actually point where apache thinks the document root is you click on the apache config option, then click on the httpd.conf file, then ctrl + f search DocumentRoot and change the “C:/xampp/htdocs” to wherever you save the DSJAS files. After doing this I did get a 403 access denied error but it seems like that will not for sure happen and can be fixed let me know if you need help with that!

1 Like

Hi!

I have the same issue.

Followed the guideline but it all stopped at the point where you unzip the DSJAS-release-beta files.

  1. I cleared out all the default files in the folder D:\xampp\htdocs
  2. I copied all DSJAS-release-beta files and folders in to D:\xampp\htdocs
  3. Typed localhost at my webbrowser and received a Internal Server Error.
  4. The Apache errorlog file says:
    [core:alert] [pid 11988:tid 1852] [client 127.0.0.1:54228] D:/xampp/htdocs/admin/.htaccess:
    Regex could not be compiled
  5. The localhost URL redirects to: http://localhost/admin/install/install.php so everything seems fine otherwise.
  6. Have tried Chrome/firefox/edge with no luck.

Any ideas?

You can try what I suggested above that’s what helped me with this issue. I’m not sure if your error is a 500 error or not I don’t remember what exactly a 500 error is but this might still help. It’s also what the install instructions suggest doing on the DSJAS GitHub here

Hi Honk!

Thanks for your reply!

Yes it`s a 500 internal server error that occurs.

I made a folder: D:\TTBank and extracted the DSJAS files in to that folder.
Opened the Apache config (httpd.conf) and edited the DocumentRoot from C:\xampp\htdocs to D:\TTBank
Restarted apache and mysql service in the xampp controlpanel and tried to load localhost in firefox.
Still getting a Internal Server Error.
The Apache Logs says the following:

[core:alert] [pid 10032:tid 1872] [client 127.0.0.1:57693] D:/TTBank/admin/.htaccess: Regex could not be compiled

Looks more like the issue is in the .htaccessfile?

By reverting back the original files from xampp to htdocs and changing DocumentRoot back to c:\xampp\htdoc everything works fine.

Is this issue just with me because I get 500 internal server error from the “box”

I’m experiencing the same issue as well, replaced all htdocs with the bank files which then after restarting the web server I get a 500 error. I did try to move the bank files out of the xampp directory and change the document root but the issue still remained. Also getting the “C:/xampp/htdocs/admin/.htaccess: Regex could not be compiled” error as the user above mentioned. Has anyone been able to resolve this issue?