Nice video about the tool bro. The Only way to mitigate this in a company its is to build a case in a SIEM (p.e :not alowing 2 logins from diferent locations or not allowing 2 conections at the same time... etc )in order to alert you about the take account, and to give you the chance to lock down the account.. :) ... Live free Or die hacking!!
yes, if you notice something is wrong and don't input your credentials the phishers won't have them (but also important: if you realize you've sent your credentials before you complete the MFA, they won't have your token but you should change your password immediately)
Someone downloaded a binance trading bot from youtube that contain a virus and the hacker get acceess to his pc and stole money from his account even that the account was secured with phone 2FA is that really possible ? so if i get hacked 2FA won't protect me ?
Facebook hackers enabled 2FA Now is there anyway I can get my account back as most of this stuff on here cant and I've tried everything. How can I talk to you direct please.
I didn't understand how did you get text OTP ? Coz you are logging in to a fake site ,how will Microsoft send you text when you are not signing into Microsoft site?
Once the user enters the credentials in the fake account behind the scenes the credentials are submitted to the real account and then the token is stolen
ok this makes a lot of sense. but can they do it without passwords? because it happened to me with a .pdf.scr file I clicked. I don’t remember i put my email or password so I’m unsure as to how the got into my google account. If you can respond that would be awesome as I’m still unsure that my accounts are protected since the hijacking. Thanks!!
So basically that file you clicked was a phishing file meaning once you input your information it was being sent to the phishing device which is evilginx and they logged in and copied your cookies and pasted them into their browser and it automatically authenticated that account on their end as if it was you
You won't be able to recover your account with this technique since you would need to know the username and password for this hack to work, The username and password are submitted to the real website behind the scenes along with the authenticator token only then will the attacker get access to the session token and be able to use it to log into your account
Hay, I have a business account,And 2 Auth. I forgot a password,On my email they sand a code, but when they send a code to my phone I can't receive it because it is terminated, I vos use it in another country. Now I dont use it. Can somehow bypass that. On PC ?
I know of an expert who can get you account back within few minutes and I'm also happy how everyone recommend him on here it show I'm not only the aware of he's skills
I can try? Like what exactly is the problem? You just can't write some code? Or don't know how to deploy your code? Like I need more specifics my man, like idk I can't promise you the world but if you just need help getting that set up and that's it well I honestly don't believe that's gonna work my man, mainly because it's semi dated, IMO, but also the fact it's no doubt tracked to some degree, meaning whatever the hell your doing is recorded. Which doing whatever is probably gonna get recorded so know that. Like if you expected it not to and or didn't know exactly what to look for in terms of figuring out how to check the whatever it is, I'm guessing it's a jank Linux based kind of simple OS with a specific routine of doing Thing's, ultimately it's more than likely going to rootkit itself into your machine and then your gonna have a new level of hell to deal with if someone finds out that you've fallen for a specific trap that might be their come up at your expense. But even that like the only way someone's gonna help you is if you have a cell or 2nd device that it's not being installed on to do and walk you through the steps to get it done, like that's the best you can get honestly.
In theory it could. If a malicious actor creates a lure that is designed to phish your auth token from your online banking provider. Then yes in theory they could gain access to your online banking.
If someone looking for a coder for whatever reason like I could use something to take my mind off current things, I mean like feel free to test my skillset, I'm big not stressing that, unless it's like some random like environment that I don't currently know or something like just off the wall but idk I mean unless some dudes like sitting at a system like manually spinning a HDD with the cover removed and air duster, like spinning the drive and forcing it to read while joe nobody is like breaking down in assembly line debugger to RE some software well I mean like that's a thing, not gonna judge... I might laugh a little, but f it, lezz do it, run that shizz... But like yeah, I can get down with the get down, like (insert mind blowing awesome music mirroring dance repeat jams here) I could use some of that work to take my mind off life stuff right about now, I'd really appreciate it bunches! Okie dokie than just gonna wander off to some other spot on the net, you know basically the in the same spot physically but just another screen on this here phone cuz my PCs are a bit more OP than just be watching yt videos on, think I'll be checking my notifications because I donno pretty much don't wanna lose my house and all you know, those things that cost money that hold stuff like bed, dresser, and fridge with a stove... Yeah, those things... Kind of like them, sure would hate to lose all that, that sure puts me at a disadvantage ahh man, someone could totally like take advantage of that, like if they wanted to... Random dev just needing some work to live not on the street, alrighty than I think that's about as embarrassing and desperate as I'm gonna get, that's pretty bad... 😿 👈I don't wanna be that anymore... Okie dokie, take care.
That would depend on your settings in Office 365. If someone attacks you from another country and you have blocked that country to login, they won’t be able to login.
exceptional video brother - detailed enough and to the point - looking forward to more of such nice learning vids.
Glad you enjoyed the video ☺️
Great video! I would like to see you try doing this again but using a hardware key (like a yubikey) to prove how it prevents this attack.
I think a Yubikey would mitigate this attack because of how it verifies the originating domain against the authenticating domain.
WHY EVRY SOUTH AFRICAN BOYS LOOKS LIKE ELONMUSK?
Inbreeding.
Nice video about the tool bro.
The Only way to mitigate this in a company its is to build a case in a SIEM (p.e :not alowing 2 logins from diferent locations or not allowing 2 conections at the same time... etc )in order to alert you about the take account, and to give you the chance to lock down the account.. :)
... Live free Or die hacking!!
How do you gain the SIEM case?
***sent from the HACKERS' illegally installed 'mimick' text box-cannot text on my genuine screen***
have mercy on the Enter button dude. apart from that , awesome video .
wouldnt a yubico security key prevent this?
Yup
Really good video! 👏😎
Thank you☺️
Hey bro this video was very useful, how to protect our accounts from hackers in this type of attack ? Please make one video.
Yubikey’s are a good way to help protect this attack ☺️
This means, 2FA or MFA is not unsafe in general? If i recognize the "fake" login page as fake, and i do not enter in my credentials i am safe?
yes, if you notice something is wrong and don't input your credentials the phishers won't have them (but also important: if you realize you've sent your credentials before you complete the MFA, they won't have your token but you should change your password immediately)
Love your laptop
Thank you☺️
Extra like for using Plasma
NEED HELP , SOM1 PLEASE ANSWER THIS QUESTION... does the vps have to be in the cloud. Can it be in VMware, or virtual box?
This is really useful! Thanks!
Lol luv this guy!
Someone downloaded a binance trading bot from youtube that contain a virus and the hacker get acceess to his pc and stole money from his account even that the account was secured with phone 2FA is that really possible ? so if i get hacked 2FA won't protect me ?
Hello I have watched your video on evilginx! May I ask you how did you solve SSL certificate problem ? I’m having the same issue, thank you
Hi there. Usually you will have to check your cpanel settings to make sure that everything is correct. Otherwise Evilginx won’t work properly.
Facebook hackers enabled 2FA Now is there anyway I can get my account back as most of this stuff on here cant and I've tried everything. How can I talk to you direct please.
Great video!
Could you also make a video on how to bypass spam filters on Gmail? Thank you
I didn't understand how did you get text OTP ? Coz you are logging in to a fake site ,how will Microsoft send you text when you are not signing into Microsoft site?
Once the user enters the credentials in the fake account behind the scenes the credentials are submitted to the real account and then the token is stolen
Is it possible to send a sms api request to a web server and change the message?
Interesting idea, dont know if that would assist in this.
@@CyberlinxSecurity Im not relating it to the video. I just want to know if it would be possible
I smashed hard the like button
want evilginx2 to continue running after you log out from your server??
How do I download the cookie editor app for Firefox and who's the creator the only one I see looks nothing like the one mentioned
ok this makes a lot of sense. but can they do it without passwords? because it happened to me with a .pdf.scr file I clicked.
I don’t remember i put my email or password so I’m unsure as to how the got into my google account.
If you can respond that would be awesome as I’m still unsure that my accounts are protected since the hijacking.
Thanks!!
So basically that file you clicked was a phishing file meaning once you input your information it was being sent to the phishing device which is evilginx and they logged in and copied your cookies and pasted them into their browser and it automatically authenticated that account on their end as if it was you
Please help me recovery Gmail account
Great video please can you help me out on how toget this evilginx
Great vid, man. But what if the 2FA is a SMS veri ?
They could do a sim swap attack on your phone
dude I seriously need this to recover my own google account. what's that code hack app thingy name
Watch the video 🤯
You won't be able to recover your account with this technique since you would need to know the username and password for this hack to work, The username and password are submitted to the real website behind the scenes along with the authenticator token only then will the attacker get access to the session token and be able to use it to log into your account
@@Ericsicons well uh i already had recovered it the next day. nothing to worry🤪
i knew something new tnx
Does it matter if you use igconito mode?
Nice to know there isn't a damn thing anyone can do about it.
Go with FIDO and you will be safe
why did he say never end a password with 123
can i pay u to get my gmail back?
Why am I not getting phishlet tests?
Hay, I have a business account,And 2 Auth. I forgot a password,On my email they sand a code, but when they send a code to my phone I can't receive it because it is terminated, I vos use it in another country. Now I dont use it. Can somehow bypass that. On PC ?
I know of an expert who can get you account back within few minutes and I'm also happy how everyone recommend him on here it show I'm not only the aware of he's skills
Reach out to Nckmythss1 for help asap
I was in same shoe as you few days ago but with his help i was able to gain back access
Please make sure you are sending your request to the right place, he has 12k followers
whats the virtual box he’s using ?
Is there a good coder out here than can help me with evilginx setup? Lets deal. No ripper pls..
I can try? Like what exactly is the problem? You just can't write some code? Or don't know how to deploy your code? Like I need more specifics my man, like idk I can't promise you the world but if you just need help getting that set up and that's it well I honestly don't believe that's gonna work my man, mainly because it's semi dated, IMO, but also the fact it's no doubt tracked to some degree, meaning whatever the hell your doing is recorded. Which doing whatever is probably gonna get recorded so know that. Like if you expected it not to and or didn't know exactly what to look for in terms of figuring out how to check the whatever it is, I'm guessing it's a jank Linux based kind of simple OS with a specific routine of doing Thing's, ultimately it's more than likely going to rootkit itself into your machine and then your gonna have a new level of hell to deal with if someone finds out that you've fallen for a specific trap that might be their come up at your expense. But even that like the only way someone's gonna help you is if you have a cell or 2nd device that it's not being installed on to do and walk you through the steps to get it done, like that's the best you can get honestly.
the question I have is: how to hack my facebook account that was hacked with 2fa?
Scrip kiddies are gonna kidding
How can I buy this software?
thanks now I know
Hiya… how would I contact you if I needed some serious help?
3:00
longer and indepth next time bro
where do i get a free domain
i want help
Does this work on online payments
In theory it could. If a malicious actor creates a lure that is designed to phish your auth token from your online banking provider. Then yes in theory they could gain access to your online banking.
Hey, could you help figure out the right config for an o365 phishlet with adfs?
do u need ns1 servers registerd to make this work? or just a domain name?
If someone looking for a coder for whatever reason like I could use something to take my mind off current things, I mean like feel free to test my skillset, I'm big not stressing that, unless it's like some random like environment that I don't currently know or something like just off the wall but idk I mean unless some dudes like sitting at a system like manually spinning a HDD with the cover removed and air duster, like spinning the drive and forcing it to read while joe nobody is like breaking down in assembly line debugger to RE some software well I mean like that's a thing, not gonna judge... I might laugh a little, but f it, lezz do it, run that shizz... But like yeah, I can get down with the get down, like (insert mind blowing awesome music mirroring dance repeat jams here) I could use some of that work to take my mind off life stuff right about now, I'd really appreciate it bunches! Okie dokie than just gonna wander off to some other spot on the net, you know basically the in the same spot physically but just another screen on this here phone cuz my PCs are a bit more OP than just be watching yt videos on, think I'll be checking my notifications because I donno pretty much don't wanna lose my house and all you know, those things that cost money that hold stuff like bed, dresser, and fridge with a stove... Yeah, those things... Kind of like them, sure would hate to lose all that, that sure puts me at a disadvantage ahh man, someone could totally like take advantage of that, like if they wanted to... Random dev just needing some work to live not on the street, alrighty than I think that's about as embarrassing and desperate as I'm gonna get, that's pretty bad... 😿 👈I don't wanna be that anymore... Okie dokie, take care.
lookin for coder
Hi who helped you solving this issue?
2:20 that is false
the otp bypassing cookies, what if they use another IP address rather than your IP address, are they going to still login?
That would depend on your settings in Office 365. If someone attacks you from another country and you have blocked that country to login, they won’t be able to login.
.
Ttt
this method works for devices connected by one network?
I’m thinking maybe u could make them connect to your own proxy and steal cookies at the same time wen they click your phishing link