Cleaning A VM Post-Scambait

I’ve had a few run-ins with scammers in the past but I have yet to scambait any. My dad has plenty of experience in that department. Anyway, we’ve been thinking of setting up a vm to screw with them with. I already have a vpn and I’ve set up virtual machines before, so I’m good as far as that goes. My main concern now is what to do after the scambait is over. Is restoring the machine image enough, even if the scammer does their worst (key loggers, etc)?

You’ll need a VPN on your host OS as well.

Private internet access. Change the encryption to 256 bit, enable the killswitch and the aggressive killswitch and never connect to a proxy that’s too close to you.

Aye, I have ExpressVPN on the host machine already. Heh, the day that I installed it, it became useful because half the internet broke in my region. This does remind me, though, that I may need some help setting up the network options in VM Ware. I can’t look into it right now because I’m at work, but I remember there being like four network connectivity options.

What are the hotswitch and aggressive hotswitch options you speak of? What are their purposes?

figure out which network adapter is for your VPN and see about putting all traffic through that one network adapter.

Aye, I left it at default and then opened the VPN on the host machine. Then I looked up my IP address on both the host and guest machines and got two different numbers (both resolved to the VPN set location, though).

As to my initial question, simply restoring a snapshot of the VM is enough “cleaning up” after a session, yes?

In general, yes, restoring a virtual machine from a snapshot taken before the scammer connected to your system should be sufficient to clean up after letting them have their way with the system.

Some caveats however…

As mentioned already, it’s good practice to make sure all your VM traffic is going through a VPN to hide your real IP address. If your VM is setup to get an IP address directly from your home network (VirtualBox calls this a bridged adapter), then you will probably have to run the VPN software on the VM itself. If however your VM is setup to NAT all it’s traffic through the host, then you can just configure the host to use VPN. Make sure however that your VPN software is configured to route all the traffic through the VPN, as some VPNs can route traffic differently depending on the type.

Another thing to be careful of is to make sure you aren’t sharing folders between your VM and your host, as this could give the scammer an opportunity to drop something on the host. I use shared folders often to transfer things into my VMs, but I always make sure to remove those before letting a scammer connect.

Opinions differ on what measures you need to take to keep yourself truly safe, as you are letting a known malicious person get some degree of access to your system / network. The safest would be a completely standalone host on an isolated network segment, which is what I do in my day job if I’m analyzing malware or detonating potentially malicious email attachments, but for the typical scammer who just wants to get access to your bank account I find the measures I outline above to be adequate. Your milage may of course vary, so be careful and good luck.

2 Likes

This topic was automatically closed 46 hours after the last reply. New replies are no longer allowed.