Scambaiting beginner's guide

Intro

Are you looking at how to scambait? First and foremost, thank you for showing an interest in combatting scammers, they are one of the plagues we suffer as a society with little action being done about them, so it is important for us to fight back and track down these fraudulent individuals and companies. Information is key, and the more we have on these scumbags the better. Take pride in the fact that scammers regularly talk about Jim Browning as if he strikes fear into their hearts, this means scambaiters are definitely making a difference, but we can always use extra help! Make sure you register for an account on Scammer.info so you can publicly expose scammers, they can threaten legal action all they want but nothing will happen to our site.

Mainstream media may have you believe scambaiting is racist and not actually helpful, but this is completely the opposite. Nobody is baiting scammers just because of their race, it is solely because they are scamming people! Sure people will bring race into it and make fun of indians by stereotyping them as scammers, but this happens to every race & ethnicity, there will always be people that bring race into things, but that doesn't mean everyone is thinking the same way. I'm sure you've all laughed at a stereotype joke before, Chinese having squinty eyes, British people loving their cups of tea and having bad teeth, Americans being fat & carrying guns, etc.

Scambaiting is also absolutely not a waste of time... for you at least! If you're wasting the time of a scammer you are saving someone else from being scammed at that time. The longer you keep a scammer tied up talking to you the better, so put on your best innocent victim act and keep them going until the end of time.

Getting started

You must remember that you are dealing with criminals. Never give any personal information out, and when posting information online make sure you include as much info as possible to help track down & prosecute whoever was involved.

It would be best for you to create a fake online persona, and use that as your identity whilst dealing with scammers. A VPN is optional, as there isn't much a scammer can do with your IP address besides DDoSing you and finding your approximate location. You can easily setup your own personal VPN by purchasing the cheapest OVH VPS server and sticking OpenVPN on it, this provides you with a cheap option to hide your IP address and will protect you from DDoS attacks.

Next, if you are baiting a tech support scammer or similar which requires use of your computer, you will need virtual machine software. You can use VMware or VirtualBox, which will need an ISO file of an operating system to work. You can download a free evaluation version of Windows from here, but this would be more obvious that it's a virtual machine to a scammer. There's a premade ISO file of Windows 11 available made by NeeP, click here to check it out. Scammers have caught on to scambaiters' tricks and will check if you are using a virtual machine or not, so check out this video from Jim Browning on how to make your virtual machine more stealthy.

See also: Fake bank & scambait tools by SoupNudle
Free alternative: DSJAS

Calling scammers

Obviously, you want to call the scammers to bait them, but what should you use? If you are unable to afford a VOIP / SIP service there are free alternatives available. Textnow.com allows you to have your own number, so a scammer can call you back, along with free calls to US numbers and other countries. BobRTC is a service made by scambaiters which allows you to call numbers for free, though you must gain tokens from calling tollfree numbers in order to call non-tollfree. The numbers on BobRTC are verified scam numbers and you are unable to call numbers not listed, only trusted users can add to the phonebook there. BobRTC has been shut down and is no longer available. We recommend setting up your own PBX/SIP service, Telnyx is a good starting point.

You must never use your real phone to contact scammers, as they will most definitely use this against you, either by placing your number on a list to spam call or by spoofing your number so that lots of people start calling your number back believing you called them. 

If you want your own virtual phone number which can send and receive calls you can search for "voip service" in Google and find the best one for you. You will need a softphone to make these calls, again, you can find several good softphones to use on Google. Personally, I use Zopier as my softphone and Zadarma as my sip service.

Tracking scammers

If you're looking for something easy to use, you can try Glasswire firewall, which gives you realtime information of the devices connected to your machine. Some connections from scammers can be used to find their IP addresses, but this is not always the case. If you are a more advanced user, you can use Wireshark to trace the IP similar to Glasswire.

Using a RAT (Remote Administration Tool) to monitor a scammer's machine is an excellent way of obtaining information about them, however this process can be difficult depending on who you are dealing with. This is also an illegal act, even if they are criminals themselves, but they would need to personally file a report against you, so if they are scammers I doubt they would actually go to the police. It's best if you stay away from this area unless you know what you're doing, but of course you're not going to listen to this, I can't really expect you to. Just make sure you don't mess with an innocent person or cause damage to a legitimate business.

Usually scammers will keep files with victim's information on their computers, but this might not be as common anymore due to the amount of scambaiters gaining access to their machines. It is possible that you may stumble upon credit card numbers, addresses, full names and more of victims that have already been scammed, if this happens please contact one of the moderators or admins of Scammer.info so we can assist in contacting the victims so they can learn more about what happened and hopefully get their money back.

See also: ScamLockHolmes' collection of scambaiting resources you must be logged in to view this.

See also: scams.info world of scambaiting

Want to upload your video clips to a site run by the scammer.info team? Try UploadClip.com

More to be added...

Thanks for a great intro! I’m trying to get back into the scambaiting scene and posts like this are super helpful. I did it for years back in the early 2000s. It was tons of fun, there was a whole group of us that worked together, developed tools, shared mailboxes, and all sorts of good stuff. Starting over from scratch and doing it alone is leaving me somewhat overwhelmed. That said, I’ve got a solidly convincing virtual machine, a good backstory developed, and a textnow number, so I’m going to dive in and refine as I go.

Please Cont This! its soooo good

It keeps telling me that ScamLockHolmes page doesn’t exist? I’ll assume that while I am logged in, somehow this is my fault lol. Loved the article, thanks for sharing.

Oh sorry, he posted it in the “Members” section which requires level 1 trust to view.
I’ve edited this so you only need to be a registered user now.

just a random thought, you could also recommend google voice? thats what i personally use, its free, and imo less sketchy than textnow.

This is amazing!

I’ll help

I don’t have either, sorry.

A large reason why nobody wants to work with you is the legal issue with it. Your best bet is to just do things by yourself, get the file on their PC yourself.

Note that Scammer.info does not condone the illegal actions committed by members, full responsibility is on you.

Bro,
You are, or at least claim to be, an ethical hacker and penetration tester. The words you string along are all the right words. So at this point I have no reason to believe you aren’t. However that also means that you should know; What you are asking for is black hat territory, not ethical white hat land. Also, teaching random strangers how to hack other machines? Doesn’t track down that ethical path either. Defensive measures, sure. Most of these people aren’t Offsec.

Back to topic. As a penetration tester, with an understanding of Kali you should have a pretty easy time getting the information you need to poke at their PC. Maybe some dumbluck, some social engineering, and some connection reversal.

Do you want me to address the end of this post? the “Fake.exe” and how it demonstrates how you are the “real deal”? or should I put it and the rest up to frustration?

I have a feeling that he doesn’t know what white hat means (like many of the “hackers” on this forum).

Right, Cory. With all respect, I suggest you take our advice. As a penetration tester/ethical hacker, do you really want to risk your career by getting caught up in the law? Scammers will come after you with the law, just as they have done on this site. You want to go tell the police

I’m not a legal expert, so I’m unable to cite specific parts of the law or cases that have happened in the past regarding this. However, 2 wrongs don’t make a right in the court’s eyes. Furthermore, it is my understanding (in uk law at least, same might apply to the us) that any evidence gathered illegally is not admissible in court.

Jim Browning is:
A: Anonymous, unlike you using your real name and with 0 consideration to opsec
B: No-one said it’s okay for him to do it, there’s some who don’t agree with it. Vigilantism isn’t exactly legal.
To be honest, I smell a bit of jealousy here. “Jim Browning can do it, why can’t I?” also because you don’t seem to fully understand how things work here. You’ve came in all guns blazing after watching a few scambaiting videos, skipping essential knowledge and wanting to try things yourself - Which I don’t believe will work.

So, good luck to you. Take our advice from years of scambaiting, or don’t. We of course want more people in this fight, but want them on the right track. There are legal ways to do things that can be much more effective - This is the route you want to take.

If you wish to continue this discussion, I suggest you join our Discord (located in the navigation bar at the top), we can have quicker messaging and keep this thread relevant to the beginner’s scambaiting guide.

I know this is just going to add more clutter to this thread, but I think it’s worth mentioning that this is the case in the US, Canada, and almost everywhere… You can get a warrant to search a computer, but if you’re able to do that, getting a warrant to “hack” someone would be unnecessary - just get a warrant to search their home and take the computer…

Some newbie scambaiters seem to not understand that even if they’re doing something morally right, they can still get in legal trouble. Regardless of how despicable a person is, the legal system will treat them as any other citizen. If it seems “bad” to do something to a law-abiding citizen, then it’s probably best to assume that the law also won’t want you doing it to a scammer either.

Honestly, it’s not worth the risk. If ya know what you are doing then go ahead. Just know that you might get caught and end up getting sued or even go to prison. I don’t think the benefits are good enough to outweigh the risks.

Just my 2 cents.

Telling the authority will not help because it’s up for the Indian authorities to prosecute them, it’s their choice to accept a bribery or reject it.

So if you get caught and you tell the police that they are scammers from India, they gonna tell you that you’re not the police and it’s none of your business. Only the Indian police can arrest these scammers as long as they don’t get bribed.

So think about it before you hack their computer. Saying that they are scammers is not an excuse.

This is the opposite of hacking back a hacker cause he stolen money from your bank.

India has indeed extradited scammers to the US after an indictment, and the US and India have an extradition treaty, so I don’t think that’s very relevant.

can you fix pen, that won’t write?

Awesome guide! I am just starting to dip my toes into scambaiting. A little tip with wire shark is if a scammer connects via Anydesk make sure and filter for TCP 7070. It seems the initial 3 way handshake takes place here and then the rest of the actual data going back and forth moves to another port this makes it easy so you don’t have hundreds of lines to look through to get your scammers ip. With Team viewer I was just able to filter for UDP and since there was not much UDP traffic on my machine once someone connected I then saw the constant stream going back and forth with just a single ip. One last thing I found which helped me actually get a fake bank set up is if you search for the topic “scambaiting” on github you will find so many helpful resources there. I won’t post a link for obvious reasons and concerns but hopefully this can help out someone and we can keep those scammers busy and wasting their time.

If my memory serves correct, Teamviewer routes data through an intermediary server. It’s not a P2P connection. Any IP you were picking up would have been a Teamviewer server.