How we did it

Phishing Attack Setup

A custom SSL-terminating proxy was used to intercept login sessions and capture MFA-protected user actions.

Intercepting MFA (Pingrid) Data

The phishing attack lured a victim into logging in, allowing real-time interception of Pingrid-protected actions.

User Account Enumeration

The attack identified high-value GBP and EUR accounts belonging to the victim.

Unauthorised Card Issuance

Using the intercepted Pingrid digits, a new payment card was issued and linked to the victim’s accounts.

Brute-Forcing Activation CVV

A simple brute-force attack enabled activation of the stolen card, granting full access to funds.

Key priorities included

Access control weaknesses that could expose sensitive client data.
Phishing attack scenarios and 2FA bypass risks.
Vulnerabilities in mobile applications that could enable local attacks or remote code execution.
Privilege escalation paths leading to unauthorised account control.
Injection-based attacks could grant access to databases or backend systems.
Stored and reflected XSS that could be leveraged for session hijacking or watering hole attacks.

The approach involved:

Deploying a custom SSL-terminating proxy to intercept login sessions and capture MFA-protected user actions.
Using phishing techniques to lure victims into logging in, allowing real-time interception of Pingrid-protected actions.
Enumerating user account information to identify high-value GBP and EUR accounts.
Exploiting intercepted Pingrid digits to issue a new payment card linked to the victim’s accounts.
Performing a brute-force attack to activate the stolen card, granting full access to funds.

Conclusion

While individual vulnerabilities had low to medium risk, chaining them together enabled a severe phishing attack that bypassed MFA and allowed unauthorized transactions.

Recommendations:

Strengthen MFA implementation to prevent real-time interception.
Implement better phishing detection and awareness training.
Enforce strict access controls on financial transactions.
Harden Pingrid security to prevent brute-force exploitation.

This case highlights the importance of threat modelling in identifying practical attack chains before real adversaries do.

Application Threat Modelling and Phishing Attack Chain Case

A threat model helped prioritize vulnerabilities, leading to the identification of a phishing attack chain that bypassed MFA and allowed unauthorized transactions.

The Challenge

A threat modelling exercise was conducted to identify and prioritize security risks in a web business application and mobile applications. The main objectives were to assess access control flaws, phishing risks, privilege escalation, and remote code execution (RCE) vulnerabilities.

The Solution

Although no high-risk vulnerabilities were discovered, a practical attack chain was built by combining multiple lower-risk issues, demonstrating how an attacker could phish users and bypass MFA to gain unauthorized financial access.

Application Penetration Testing

Infrastructure Assessment

Cloud Infrastructure

Performance and scalability assessment

Cybersecurity assessment

Red Teaming

Compliance Readiness Services

Purple Teaming

Training

Due Diligence

Insides

Case Studies

Contact Us

About Tenendo

Contact us: