Case studies. Red Teaming

Application Threat Modelling and Phishing Attack Chain Case

A threat model helped prioritize vulnerabilities, leading to the identification of a phishing attack chain that bypassed MFA and allowed unauthorized transactions.

schedule a call

The challenge

A threat modelling exercise was conducted to identify and prioritize security risks in a web business application and mobile applications. The main objectives were to assess access control flaws, phishing risks, privilege escalation, and remote code execution (RCE) vulnerabilities.

The solution

Although no high-risk vulnerabilities were discovered, a practical attack chain was built by combining multiple lower-risk issues, demonstrating how an attacker could phish users and bypass MFA to gain unauthorized financial access.

How we did it

Phishing Attack Setup:

A custom SSL-terminating proxy was used to intercept login sessions and capture MFA-protected user actions.

Intercepting MFA (Pingrid) Data:

The phishing attack lured a victim into logging in, allowing real-time interception of Pingrid-protected actions.

User Account Enumeration:

The attack identified high-value GBP and EUR accounts belonging to the victim.

Unauthorized Card Issuance:

Using the intercepted Pingrid digits, a new payment card was issued and linked to the victim’s accounts.

Brute-Forcing Activation CVV:

A simple brute-force attack enabled activation of the stolen card, granting full access to funds.

Key priorities included:

Access control weaknesses that could expose sensitive client data.
Phishing attack scenarios and 2FA bypass risks.
Vulnerabilities in mobile applications that could enable local attacks or remote code execution.
Privilege escalation paths leading to unauthorized account control.
Injection-based attacks that could grant access to databases or backend systems.
Stored and reflected XSS that could be leveraged for session hijacking or watering hole attacks.

The approach involved:

Deploying a custom SSL-terminating proxy to intercept login sessions and capture MFA-protected user actions.
Using phishing techniques to lure victims into logging in, allowing real-time interception of Pingrid-protected actions.
Enumerating user account information to identify high-value GBP and EUR accounts.
Exploiting intercepted Pingrid digits to issue a new payment card linked to the victim’s accounts.
Performing a brute-force attack to activate the stolen card, granting full access to funds.

Conclusion

While individual vulnerabilities had low to medium risk, chaining them together enabled a severe phishing attack that bypassed MFA and allowed unauthorized transactions.

Recommendations:

Strengthen MFA implementation to prevent real-time interception.
Implement better phishing detection and awareness training.
Enforce strict access controls on financial transactions.
Harden Pingrid security to prevent brute-force exploitation.

This case highlights the importance of threat modeling in identifying practical attack chains before real adversaries do.

Your Cyber Resiliency is Our Passion

schedule a call

About security testing:

Azure Active Directory compromise

The Azure penetration test helped the client identify and remediate multiple issues and misconfigurations, harden their infrastructure and calculate potential risks.

Case Studies | Case studies. VAPT

PCI DSS segmentation testing case

The team created several hardware connect-back appliances and used it in a PCI DSS segmentation testing.

Case Studies | Case studies. VAPT

Payment processing API penetration testing

Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, that allowed us access to the payment API on behalf of other customers of our Client.