Industry Financial Services
Solution Type Cybersecurity Testing
Needs Although this company was confident in their threat detection capabilities, they needed further validation before an audit of their new capabilities for incident response and cybersecurity detection. This company needed to simulate real-life attack patterns which they hadn’t simulated in the past.


In an effort to fortify their technical and physical security controls, this Fortune 200 Financial Services firm wanted to set up a Black Box Penetration Test. This type of test is designed to simulate a real-life attack. This is a hacking simulation where typically the testing team and/or client getting hacked has little to no knowledge when the attack is going to take place. The testing team must “find” information themselves using known techniques to gather information about their target.

The client engaged TUV Rheinland OpenSky to conduct the Black Box Penetration Test because we have the technical range and experience to stealthily perform an assortment of tests, including (VDA) foot-printing and reconnaissance, social engineering, wireless penetration testing, and gaining physical access to the building. Our team of expert testers use security and cloud infrastructure skills to create non-traditional attack vectors.

Foot-Printing and Reconnaissance
The goal of this effort was to establish the overall Internet footprint of the organization and to define the scope of the rest of the engagement. Foot-printing and reconnaissance during the Black Box Penetration Test emphasized detection avoidance. TUV Rheinland OpenSky took steps to ensure that during the passive reconnaissance, little traffic was sent to the client. The exception to this is that our team did manually browse through many of the client’s internal web assets.

Social Engineering
The goal of the remote social engineering and email phishing campaign was to model a popular method for attackers to gain entry into an organization. By using a spear-phishing campaign targeting a very small group of users, TUV Rheinland OpenSky was able to enter the client’s internal network.

TUV Rheinland OpenSky ran three different compromise attempts.
  • Compromise Attempt 1: The first wave of targeted emails was sent from an email server controlled by TUV Rheinland OpenSky to specific target employees. The email campaign showed a familiar page, geared towards the client’s specific environment, with a link that when clicked prompted for login credentials.
  • Compromise Attempt 2: Another user was compromised through a similar email phishing method as described above. TUV Rheinland OpenSky testers looked for sensitive files on the user’s PC and found a file that contained encrypted passwords used to authenticate different devices on the network.
    • Discovered: The client’s Security Operations Center (SOC) determined the user’s computer was compromised and dispatched personnel to quarantine and examine the computer.
  • Compromise Attempt 3: After the client’s security personnel discovered and blocked the first campaign, a second campaign was launched. The second campaign used was similar to the first campaign, but with changes to the configuration and different users were targeted.

Wireless Penetration Testing
The purpose of Wireless Penetration Testing was to discover vulnerabilities and security weaknesses related to wireless networks. If those vulnerabilities were exploitable, the TUV Rheinland OpenSky team would execute different techniques to avoid detection while gaining access to the client’s internal network. TUV Rheinland OpenSky was approved to perform an “evil twin” wireless attack at a site different from the site where the physical penetration test took place.

Our TUV Rheinland OpenSky team requested and was approved to perform this attack from eateries located near our client's office. This “evil twin” attack works if employee mobile devices are not properly secured. If so, devices will send their saved WPA2-Enterprise credentials (hashed) to a rogue access point if the access point is configured to mimic the real WPA2-Enterprise network. On some device types (Android), this rogue access can happen without any user interaction. The attack was ultimately unsuccessful, indicating the resiliency of employee devices.

In a second attempt to access the corporate network, or at least gain additional credentials, TUV Rheinland OpenSky set up an “evil twin” access point. Our team configured an access point that broadcasted the same network name (SSID) as the real WiFi network using a strong antenna.

Physical Access to Building
The purpose of the physical security penetration test was to review physical security controls at the client’s location to determine the best method of entry. If physical entry were gained, the goal was to conduct an attack on the internal client’s network.

Despite resistance, see how our team was able to maneuver past the defenses in this corporate environment:

At the end of the day

The testers observed that their command and control server was getting probed by what appeared to be the client’s SOC team. The testers shut down their C2 servers and closed testing.

The client’s SOC discovered the network intrusion activities of testers and dispatched personnel. By this time though, the OpenSky testers had already left the building.

Our testing team was able to remain undetected for three weeks, while previous security companies were detected within hours.
  • As a result of this project, the customer now has nearly 20 information security findings that have been identified and rated through our proprietary risk rating and risk classification scale.
  • Our testing team's successful phishing campaign exposed a control failure.
  • Our team was able to gain access to the physical building and to sensitive networked data, which resulted in multiple actionable security findings.
As a result of our Black Box Penetration Testing and real-life attack simulation, this client was able to address many vulnerabilities before their Security audit. After our testing, this company has increased confidence in its existing security methods and awareness about newly discovered vulnerabilities.

Company Profile:

This Fortune 200 Financial Services firm has been a trusted source for financial preparedness for the better part of a century. They offer products and services to help customers achieve peace of mind over their financial lives.

Before you leave…
want to sign up for our newsletter?