Today I will talk about how the scam baiter Jim Browning gains access to the scammer’s network. Because that’s the one question he seems to avoid in his videos, I will reveal the hacking technique he is using.
This is also a good opportunity to understand how scam baiting works overall.
If you haven’t heard of Jim Browning — he is not revealing his real name — he is a YouTuber who spends a good amount of time and effort to hack into the network of scammers — mostly located in India. If you are not familiar with him, I recommend starting with this video below:
Watching videos of him, you will hear him say many times that when those scam baiters try to ‘scam him’, he would ‘reverse this connection and gain access to the scammer’s PC’. Of course, as a computer scientist, I know that there is no such thing as ‘reversing a connection’ per se, unless of course you take it more as a figure of speech. Fact is, you can’t just hack into somebody’s computer just because he has gained remote access to yours through a remote control software such as TeamViewer, GoToMeeting, Zoho Assist or similar. Because that’s the kind of software the scammers use.
What’s the Magic Behind Jim Browning’s Hacking?
What he is most likely doing is what we call delivering a ‘payload’. A payload is a computer executable file such as an .exe file. That’s exactly what Jim Browning is doing to the scammers.
To make a hack possible, Jim Browning is using a RAT software. RAT is the acronym for Remote Access Trojan: A RAT comes usually with two pieces. The software itself allows the hacker to control the victim’s computer — often known as the RAT client. Then there is the payload: Once the other person starts the payload (the exe file), that computer will establish a connection to the hacker’s RAT client; thus, giving the hacker full access to the infested computer. Many well-engineered RAT tools will even come in three pieces:
1) RAT Proxy
This is the software piece the hacker installs on a server somewhere, usually on a Linux based server, either a dedicated or cloud based server anywhere.
2) RAT Payload
The RAT payload is the trojan horse file the victim has to run by being misled. Once that file is started on a Windows PC for example, it immediately puts itself into the white list of any installed antivirus and firewall tools, and hides itself from being detected through common tools such as Windows Services and similar. Often the tool will compromise core system files of Windows, so it acts like a normal Windows service where it then becomes extremely difficult to be identified as a trojan horse. And then it connects to the RAT Proxy.
3) RAT Agent or RAT Client
This is the dashboard the hacker has installed on his own Windows PC from where he has full control of the infested computer. The RAT Agent allows following options to the hacker among others:
- Manipulating the web cam drivers that will allow him to turn on the web cam covertly.
- Tab into the microphone and speaker to eavesdrop any conversation.
- Monitor every movement on the screen of the victim including mouse movements in real-time and the ability to capture screen as images or videos.
- Keylog everything that is being typed into the keyboard.
- Explore and download files on the victim’s computer covertly without the victim noticing.
- Install and manipulate software.
- Disable and activate any kind of settings including security settings and firewalls.
- Access to the computer’s network such as printers, and other locally or externally connected networks.
- Start, close and make use of existing software and processes.
- Make changes on the registry, services, make uploads, and run scripts.
The possibilities are endless. There is a vast amount of RAT software provided by hackers. Popular tools are СrunсhRАΤ, Vаynе-RаΤ, Pоwеrѕhеll-RАΤ, ThundеrЅhеll, Χееxе, and many more. Besides the popular hacking tools such as these mentioned above, governments are known to use more sophisticated and user-friendly RATs such as FіnFіѕhеr — which also can be downloaded if one has access for example to some underground sites used by the hacking scene.
Note: If you’re searching the RAT tools and company names mentioned in this article, don’t copy paste them into a search engine as you won’t find anything. I have made them unsearchable (it’s a simple grey hat technique). You have to type it into search engines manually if you want to see some results.
Below is a screenshot of АhΜyth Аndrоіd RАΤ — a RAT that allows hackers to control Android phones of their victims. You can see below in this case how the hacker has been notified by the RAT client that his victim has just started the payload (in this case an .APK file), and that the hacker now has full control over the victim’s smartphone:
The hacker now can activate the smartphone’s cameras, access files, listen to everything being spoken through microphone access, send SMS and read existing ones, see contacts and phone logs, and many more.
This is how FіnFіѕhеr is being distributed mostly in the darknet:
And it comes with a good number of documents and trainings which will tell you how to install and run it, and how to deliver the payload to the victim’s computer:
You can see above that FіnFіѕhеr seem to provide payloads through different devices, even through websites, and USB devices. This suggests that FіnFіѕhеr’s trojan horse or payload will most likely try to install itself on the victim’s computer when inserting a USB drive or visiting a certain website.
Looking at the FіnFіѕhеr software, I understand that you could be able to create your own EXE-files through an infection tool provided by FіnFіѕhеr. It looks like it basically allows you to create your own payloads. Because I can also see that you can select “will not trigger UAC prompt” on the software’s screen. I did not provide screenshots of the software since I would assume the developer behind FіnFіѕhеr called ‘Lеnсh ΙΤ ЅоІutіоnѕ’ could try to legally stop me from displaying their software’s dashboard by arguing its copyrighted media content. But you get the point.
But let me put it that way. If somebody were to look for these tools long enough and with perseverance, they would be eventually able to find them. Knowing where to look, it took me as a journalist not more than 15 minutes to find FіnFіѕhеr as you can see above.
Another way is if the scam baiter would code his own RAT tool which doesn’t have to be that sophisticated as it would have to fulfill only a couple items the scam baiter wants. Since the scam baiter would not have to deal with fancy dashboards, a simple script with a couple control items would suffice.
Now, with tools like this, Jim Browning can easily access somebody else’s computer, in this case the scammer’s PC. Now that we know what kind of tools Jim Browning uses to infest and control the scammer’s computer, the one question remains: How is he dropping the payload (the exe file) on the scammer’s PC?
Sniffing the Scammers Connection
Let’s have a quick intermezzo: First of all, without using any RAT tool, Jim Browning can trace back the connection using different tools known as ‘Packet Sniffers’ or ‘Network Monitoring Tools’.
There are plenty out there, and one of the popular ones is Wireshark. For example, I use Wireshark to trace VPN tools to see if they are in fact using an encryption when I’m testing VPN tools. These tools will also reveal the IP Address of other people gaining access to your computer — such as the scammer’s IP Address using a remote software.
Having the IP address of the scammer is useful in many ways. The hacker can trace their IP using several online tools called “IP Tracers” to see what kind of Internet Service Provider the scammer is using and where he is located at — assuming of course he is not using a VPN software to disguise his identity. Jim Browning shows on many videos that he was able to successfully trace the IP of his scammers back to them, so we can assume that the scammers are not very clever when it comes to obfuscating their identities through VPNs.
Having to know somebody’s IP will open a good pathway for further investigations. But there is not much else you can do with that information: You won’t be able to hack into somebody’s computer just because you have traced their IP.
Sure, you can try to find some open ports and give it a shot based on luck — but this isn’t the 90s anymore where you can easily hack through some open ports. It’s 2022 — and firewalls, operating systems and router securities have quite evolved since then.
A hack is a creative approach, custom designed to specific situations. And the best way in this case to hack to the scammer’s computer is if that person installs and starts a file you want them to start — the RAT method.
Delivering a Payload to the Scammer’s Computer
Let’s talk about the opportunity that arises when a scammer tries to scam you, and how a vigilante hacker such as Jim Browning can use this to his advantage to deliver the payload.
This is the most fun part because it involves creativity, and it’s a custom designed method that works perfectly with scammers.
A scammer usually gains access to your computer using a remote software tool once the victim allows it, thinking the scammer is a legitimate IT support guy trying to help. TeamViewer is one of the most popular tools, but there are many other tools such as Zoho Assist, RemotePC, and even Microsoft’s own remote tool.
Since Jim Browning knows the scammer is looking for files and access passwords that involves money, he will deliberately allow the scammer to access his computer which he has specifically prepared as a bait. Once the scammer gains access to it, there are a couple things Jim Browning can do. And the possibilities here are endless, based on your originality how you want to lay a snare.
But before he gets to that, he will do a little bit sniffing.
As Jim Browning demonstrates in his videos, the first goal of the scammers is to gain to your list of passwords stored in your chrome browser — that’s where all your auto filled passwords are stored. In your browser settings, you can access those stored passwords and actually see all the passwords with one click:
And once the scammer clicks on one of these, he sees all your passwords just like that:
Jim Browning also teaches us that the scammer favors remote software that allows them to black the screen of their victims, so the victim doesn’t see what the scammer is doing on the victim’s computer — as in stealing their passwords.
Since the accounts of the victims have lots of passwords stored, and at the same time the patience of the victim is limited, the scammer must act fast. He most likely won’t steal your password to your favorite radio streaming, but rather look for websites with monetary values such as bank accounts, payment hubs like PayPal, or online shops such as Amazon or Apple Store where he can purchase gift cards using your credit card credentials that are stored in those websites.
Method #1: Baiting Scammer With A File From Your Computer
This is the simple way. The scam baiter just leaves a file on his own computer, e.g. on his desktop, that says something as in “mypasswords.docx”.
A known tool called FakeImageExploiter will allows the scam baiter to turn his Window .exe files into a .docx file. It is basically the same as creating a mypasswords.docx.exe, however without the .exe being shown on Windows. Github.com/r00t-3xp10it/FakeImageExploiter explains this method pretty well.
The scammer will see this file on the scam baiter’s computer and download it. When he opens it, the payload will be delivered, and the scam baiter will now has full access.
Method #2: Baiting the Scammer With A Fake Bank
This is the least suspicious method and promises a much greater success rate.
Lesson number one: If Jim Browning were to bait the scammer with a valuable website such as a bank account, they will most likely try to steal that password first. Naturally, a scam baiter like Jim Browning would prepare his chrome browser with one valuable website such as of a bank, and the rest would be only there for smoke and mirrors like the image below. The scammer wouldn’t lose any time and immediately click on that bank account.
Of course, people such as Jim Browning would most likely use a free and bogus domain that sounds like a bank, e. g. pacificbankonline.com or whatever sounds somewhat legitimate.
Watching Jim Browning’s videos closely you will also realize that these scammers are not the brightest. I would guess that most of them are simple minded. You can assume that they don’t know much or anything about the U.S. or even world’s financial industry.
In many videos you can clearly see that even they tend to claim they are from San Jose, they are not even able to name one restaurant in that city. This brings us to the conclusion that they do not do any research or brain work altogether, nor are much prepared, but simply follow a monotonous process, and the only goal is to get money from the victim without further ado.
That actually makes the scammer an easy target, and baiting him to visit a website the scam baiter has created seems to be quite a good idea as long as it sounds like there is money involved — like the domain “pacificbankonline.com” I just made up as an example.
The scammer will immediately open that website of the scam baiter he just obtained from his victim’s browser; thinking it’s a real bank his victim has an account at. The scam baiter at the same time makes sure he has already created a website that looks like a professional bank. Here is one for you I just created for this article to illustrate how easy it is actually to create a design:
Platforms such as WordPress allow easy and quick setups of that kind if you are a skilled and experienced programmer with HTML and CSS capabilities. A hacker like Jim Browning is usually that kind of a person.
The scam baiter will probably want to make up a nice name for the phony bank. As a slogan he even might want to use something like “A J.P. MORGAN COMPANY” or “CITIBANK GROUP” just to make the phony bank look like a subsidiary of a more serious and bigger bank.
When the scammer visits that website, he will only login with the user ID and password without being distracted about anything else happening on that phony bank website. He sure won’t try to educate himself by reading any of the blog posts on the website. But if he does, the website would simply show a popup of a login window.
You can see clearly on Jim Browning’s many videos that once the scammer logs in to the bank account or payment website of the victim, the first thing the scammer does is to transfer and steal money from that bank to a predetermined recipient.
Now the scammer is about to download a little software that has been prepared for him to start: a hazardous .exe file that will compromise his computer. However, in order to make that happen, the scammer needs to be provided with a good reason to do so. Now, the vast creativity and social engineering skills of the scam baiter who is also a hacker with years of experience comes into play.
We already know that the first thing a scammer does after logging to the bank account is to click on the ‘wire transfer’ to steal money.
The easiest way would be to provide a small download tool on the wire transfer dashboard such as a bogus ‘PIN Generator’. The scammer will think that he needs to start this tool in order to create a PIN that’s needed to complete a wire transfer.
Below is a good way to trick the scammer into downloading the so-called ‘PIN Generator’. On the image below I made it look like a PIN Generator that has been already authenticated and digitally signed by the bank account owner — which just makes it look more legitimate — but in fact is just another way of creating smoke and mirrors; one of the many social engineering hacking methods.
The scammer will immediately fill out this form and try to send money to someone. And will download the PIN Generator which can be a file such as “PIN-GEN-JohnDoe4455.exe”. If you want to put more obscurity to it you could even ask for a SMS conformation before the download at which the scammer will ask the victim to open his phone and provide him that number. This will take away the suspicion of the scammer even more thinking that it wasn’t too easy to transfer money. More reason for the scammer to download the .exe file.
Once the .exe file is downloaded and executed on the scammer’s PC, he would have installed the scam baiters trojan.
A good payload is usually embedded to another .exe file that actually can have a real purpose and features. For instance, the .exe file would indeed open a fake PIN Generator tool but only to ask for another SMS confirmation code. That way the scammer would not be suspicious, and once again has to ask his victim to look at his phone for a text message. Since the payload has been delivered successfully, that now allows the scam baiter to find his way out of this session with a good exit strategy.
Before the scam baiter baits the scammer, he has an exit strategy already planned out. Once the scammer has installed the payload and the scam baiter now has gained access to his PC, it will be crucial for the baiter to come out clean and not to arouse suspicions that could lead the scammer to investigate. The scam baiter will therefore give the scammer something he is most likely to receive all day long: mistrust. The goal is to let the scammer believe that his attempt has failed, which probably will happen 99% of the time, and he will then move on to the next victim. That’s one way to do it:
The scammer needs an explanation why the .exe file he has opened didn’t lead to his intended goal. Therefore, the payload has to provide a feasible explanation.
In the case of the fake PIN Generator this can be easily done when the tool (payload) asks for a task the scammer can’t complete — such as to activate the tool with another PIN that would be needed through a text message.
In the example above the scammer now will try to obtain the SMS text message from his victim’s phone: “Sir, you should have received a text message. Can you provide me that number”. Now it’s time for the victim (scam baiter) to break up the relationship.
Hackers such as Jim Browning plan their exist strategy well. You can see this on his videos how well he is structured by collecting and organizing all the information he is gathering during his calls with the scammers.
The scammer now should be told by the scam baiter something as in: “This is a PIN from my bank. Are you trying to steal my money from my bank”? That’s a good way to end a call by switching the role to a disappointed customer who now has lost his trust. What better reason to end a call? While the scammer now will most likely try to calm him down, the scam baiter’s website will have already logged the scammer out by displaying this message:
“Only one user section is allowed. Another user is already logged into this account. This user must log off this machine before you can log on.”
At the same time, the scam baiter will now change the password to his phony online bank, thus making it impossible for the scammer to see the dashboard again.
Once the scammer clicks the close button on the payload, the scam baiter, who already has full access, now can easily overwrite the payload .exe file with something inconspicuous such as a bogus update application, or just close it and delete it himself.
And while all that happens, the scam baiter will engage the scammer with accusation talks to drive his attention from what is just happening. Eventually the scammer will end the call himself realizing his attempt failed by saying things such as ‘I can’t help you, sir, you have wasted much of my time’.
At this moment Jim Browning would have full access to the scammer’s PC, and the scammer would have hung up on him telling himself: ‘Up to the next one’.
In a sense, you could say that Jim Browning is actually ‘reversing the connection’, if by connection you mean the social aspect of the conduct. Because that’s exactly what Jim Browning is doing: He is using the same methods the scammer uses, but in reverse.
I have to write this to protect myself, sorry guys: All these explanations are opinions and assumptions. I never talked to Jim Browning personally and he never explained to me how he does it, and as far as I know I’m using ‘Jim Browning’ as an anecdote for any scam baiter. Do not to install any RAT, do not to try to bait scammers with any of these methods described as they might get you in trouble. Do not download nor install FіnFіѕhеr or any of the tools mentioned above if you do not have the proper license. And by the way, just in case: I never said I downloaded nor installed FіnFіѕhеr, did I? In a sense I do not know about anything I’m writing here and it’s just a figment of my imagination. Legal Notice OFF.