Contact us: info@tenendo.com
How we did it
Phishing Attack Setup
A custom SSL-terminating proxy was used to intercept login sessions and capture MFA-protected user actions.
Intercepting MFA (Pingrid) Data
The phishing attack lured a victim into logging in, allowing real-time interception of Pingrid-protected actions.
User Account Enumeration
The attack identified high-value GBP and EUR accounts belonging to the victim.
Unauthorised Card Issuance
Using the intercepted Pingrid digits, a new payment card was issued and linked to the victim’s accounts.
Brute-Forcing Activation CVV
A simple brute-force attack enabled activation of the stolen card, granting full access to funds.
Key priorities included
- Access control weaknesses that could expose sensitive client data.
- Phishing attack scenarios and 2FA bypass risks.
- Vulnerabilities in mobile applications that could enable local attacks or remote code execution.
- Privilege escalation paths leading to unauthorised account control.
- Injection-based attacks could grant access to databases or backend systems.
- Stored and reflected XSS that could be leveraged for session hijacking or watering hole attacks.
The approach involved:
- Deploying a custom SSL-terminating proxy to intercept login sessions and capture MFA-protected user actions.
- Using phishing techniques to lure victims into logging in, allowing real-time interception of Pingrid-protected actions.
- Enumerating user account information to identify high-value GBP and EUR accounts.
- Exploiting intercepted Pingrid digits to issue a new payment card linked to the victim’s accounts.
- Performing a brute-force attack to activate the stolen card, granting full access to funds.
Conclusion
While individual vulnerabilities had low to medium risk, chaining them together enabled a severe phishing attack that bypassed MFA and allowed unauthorized transactions.
Recommendations:
- Strengthen MFA implementation to prevent real-time interception.
- Implement better phishing detection and awareness training.
- Enforce strict access controls on financial transactions.
- Harden Pingrid security to prevent brute-force exploitation.
This case highlights the importance of threat modelling in identifying practical attack chains before real adversaries do.