Search
START TYPING AND PRESS ENTER TO SEARCH
Case studies. Red Teaming

Application Threat Modelling and Phishing Attack Chain Case

A threat model helped prioritize vulnerabilities, leading to the identification of a phishing attack chain that bypassed MFA and allowed unauthorized transactions.

schedule a call

The challenge

A threat modelling exercise was conducted to identify and prioritize security risks in a web business application and mobile applications. The main objectives were to assess access control flaws, phishing risks, privilege escalation, and remote code execution (RCE) vulnerabilities.

The solution

Although no high-risk vulnerabilities were discovered, a practical attack chain was built by combining multiple lower-risk issues, demonstrating how an attacker could phish users and bypass MFA to gain unauthorized financial access.

How we did it

Phishing Attack Setup:

  • A custom SSL-terminating proxy was used to intercept login sessions and capture MFA-protected user actions.

Intercepting MFA (Pingrid) Data:

  • The phishing attack lured a victim into logging in, allowing real-time interception of Pingrid-protected actions.

User Account Enumeration:

  • The attack identified high-value GBP and EUR accounts belonging to the victim.

Unauthorized Card Issuance:

  • Using the intercepted Pingrid digits, a new payment card was issued and linked to the victim’s accounts.

Brute-Forcing Activation CVV:

  • A simple brute-force attack enabled activation of the stolen card, granting full access to funds.

Key priorities included:

  • Access control weaknesses that could expose sensitive client data.
  • Phishing attack scenarios and 2FA bypass risks.
  • Vulnerabilities in mobile applications that could enable local attacks or remote code execution.
  • Privilege escalation paths leading to unauthorized account control.
  • Injection-based attacks that could grant access to databases or backend systems.
  • Stored and reflected XSS that could be leveraged for session hijacking or watering hole attacks.

The approach involved:

  • Deploying a custom SSL-terminating proxy to intercept login sessions and capture MFA-protected user actions.
  • Using phishing techniques to lure victims into logging in, allowing real-time interception of Pingrid-protected actions.
  • Enumerating user account information to identify high-value GBP and EUR accounts.
  • Exploiting intercepted Pingrid digits to issue a new payment card linked to the victim’s accounts.
  • Performing a brute-force attack to activate the stolen card, granting full access to funds.

Conclusion

While individual vulnerabilities had low to medium risk, chaining them together enabled a severe phishing attack that bypassed MFA and allowed unauthorized transactions.

Recommendations:

  • Strengthen MFA implementation to prevent real-time interception.
  • Implement better phishing detection and awareness training.
  • Enforce strict access controls on financial transactions.
  • Harden Pingrid security to prevent brute-force exploitation.

This case highlights the importance of threat modeling in identifying practical attack chains before real adversaries do.

Your Cyber Resiliency is Our Passion

schedule a call

About security testing: