December 7th, 2012One Royal Pwning
UPDATE: There is a truly sad ending to this story – a short time ago today the nurse who took this call committed suicide. She was sad over her actions and fear caused her to end her life. This type of malicious SE is not a joke and has serious consequences.
This part is not really new news…Kate, the Duchess of Cambridge and Prince William’s wife, is in the King Edward VII hospital for a pregnancy.
Now here is the an interesting story that proves the power of social engineering… Two Australian DJs, Mel Grieg and Michael Christian, called the hospital pretending to be Queen Elizabeth and Prince Charles. The DJs were able to talk their way through the hospital switchboards and were eventually connected to the duchess’s private nurse and were able to obtain a status update as to her condition after being admitted for Gravidarum, or extreme morning sickness.
Here are some quotes from the Australian 2Day radio program given by Kate’s private nurse:
“She is sleeping at the moment and she has had an uneventful night.”
“Sleep is good for her. She’s been given some fluids to rehydrate her because she was quite dehydrated when she came in. But she’s stable at the moment.”
“She hasn’t had any retching with me since I’ve been on duty and she has been sleeping on and off. I think it’s difficult sleeping in a strange bed as well.”
Apparently the pranksters got through with with less than perfect Brittish accents. Mel and Michael spoke candidly about their exploits and were surprised they were put through to Kate’s nurse. “We were very surprised that our call was put through, we thought we’d be hung up on as soon as they heard our terrible accents.”, said Mel and Michael, according to a statement they released.
For added realism, the duo also employed cohorts who, in the background, made barking noises to simulate the Queen’s corgis. This technique is discussed in our 5-Day Social Engineering for Penetration Testers course. A little background noise can go a long way to add realism and believability. There are many ways to obtain background noises you can play through your speakers during a telephone social engineering engagement such as CDs, websites offering sound clips, or for something really specific, you can just make them yourself.
In this case the information released, while personal and private, was relatively benign. However, these techniques are being proven effective every day as social engineering attacks continue to increase. The low cost of entry for social engineers coupled with the lack of awareness training on the part of companies is a big reason these types of attacks are so widespread and so successful. We’ve seen previously how one of the world’s most richest men can have their debit cards reset and sent to an attacker, now we see information about the Royal Family being released to complete unverified strangers over the telephone. Now this was obviously just a prank, but what if this was a serious attacker?