I was testing some typo URL’s from the list at www.northbaits.com, one by one just for trying. I had Avast installed in the VM and it blocked a lot of them, but I also got Bitdefender notifications on my host, which surprised me. (I could however see some logic in it, if it reacted to something malicious going on in the VM files… even though I didn’t like it very much).
But suddenly a page also was blocked by Bitdefender inside the VM’s browser (both Chrome + Firefox). I couldn’t really understand how the host’s AV could actually work inside the VM.
Content from the VM being blocked on the outside and outside VA blocking pages on the inside has raised my doubts about the security here. How “sandboxed” is a VM really? Obviously it’s not air tight but how much is there to worry about?
(This was done in both VirtualBox and VMware)
It’s isolated enough for scambaiting with the default settings - scammers don’t really do much else than syskey and delete files. If you do find one that installs malware or something you’re worried that could escape the VM then just kill the VM’s network access.
In terms of those bitdefender notifications, your VM has to make a connection to the internet via your host PC, and so it’s entirely possible that bitdefender intercepts it at host level. It’s also possible that the block page was created at host level, and your VM just took it to be the real website.
Bitdefender is almost certainly not working inside your VM, it’s only capable of looking at and blocking the times your VM has to go through the host PC to do something. It may well notify you for malicious activity on the VM, if it’s capable of scanning virtual hard drive files, or (as it seems it is) if it is capable of MITM’ing your VM’s connections.
All in all, get a VPN on your host pc and the scammers have no real recourse against you. The only time you want a truly isolated VM is when you’re trying to run malware that you know will almost certainly try to spread across the network, but that’s beyond the scope of scambaiting.
Thanks for your response.
I was never really worrying about the scambaiters doing anything. They most certainly have other things on their minds ($) than digging in any deeper levels. What I was most concerned about was malicious “leakage” while intentionally searching through malicious pages. If my Bitdefender alerts came from looking INTO the VM files, then all fine to me… but if they came from blocking something on the OUTSIDE, they might also miss something else on the outside.
(The Bitdefender alerts in the VM was never a real concern. That was more of something just raising the already raised concern about leakage.)
My guess is that it’s probably looking at the packets being sent by the web browser and doesn’t realise that it’s running inside a VM. It may help if you change the network connection type for your VM to bridged.
Nothings likely to happen outside your pc when scambaiting. It will pass through your pc (if it didn’t then your vm would be running on magic and wishful thinking) but should not affect anything outside your vm. Just make sure file shares are off.
I expect that Bitdefender examines packets on the host machine indeed. Just a thought, if you run a VPN on the VM, Bitdefender on the host machine is not able to make sense out of it. Or is my thought a complete flaw?
Greetings!
I saw an youtube Video once where an Person tested the wanna cry ransomware on a virtual machine, and his anti virus on his host PC detected that wanna cry wanted to infect his host pc thru his internet so it blocked the connection, i dont remember which network settings he used on his virtual machine because i cant find the video anymore
Those of you worried about viruses should consider making a host PC with Linux. Then running VirtualBox on Linux. The likelihood of anything infecting your host machine drops considerably. And looking at how unintelligent these scammers are, I’m pretty sure they couldn’t find a backdoor into your Linux system in order to run Linux commands.
I run a VM server with an OS called Proxmox. I access the server through my desktop PC so my Desktop PC is on a separate network than my server. While this isn’t 100% secure I feel it’s a lot more secure than running a VM on your good host PC. I’d suggest the first idea I mentioned. Using a separate PC, put a VM on it and use that PC for scam-baiting.
A VM is certainly safer than running it on your host directly and offers some protection. However, you have to take precautions if you know that scammers are going to run malware.
First, secure the VM. If you’re using Parallels Desktop (which I highly DO NOT recommend for scambaiting), you need to tick “Isolate Guest from Host” and make sure there are NO shared folders whatsoever.
Next, install a good antivirus on your host. Good antiviruses include Kaspersky, Malwarebytes Premium and Bitdefender Premium. If possible, crank protection to the max. Also, enable the firewall. THIS IS IMPORTANT IF A SCAMMER IS GOING TO RUN WANNACRY, OR ANYTHING SIMILAR. Wannacry will not only infect the VM but the entire network.
Then, disconnect internet before running malware (Does not apply to scambaiting but malware testing, but I’ll leave it here just for your information.)
Finally, if you are using shared wifi at home (with family members or others), try to make sure that other computers also have security cranked to the max, as a final layer of protection. You can also switch off those computers if you’re very worried.