The ringleader of a 7-year phone-unlocking & malware scheme will head to prison for 12 years, according to the US Department of Justice, after effectively compromising AT&T’s internal networks to install credential-stealing malware.
With the help of malicious insiders, a fraudster was able to install malware & remotely divorce iPhones & other handsets from the carrier’s US network — all the way from Pakistan.
The criminal, Muhammad Fahd of Pakistan & Grenada, was convicted of grooming AT&T employees at a Bothell, Wash. call centre to take part in the scam.
He & his now-deceased co-conspirator bribed employees to 1st use their AT&T credentials to sever phones from the AT&T network for customers who were still under contract — meaning those customers could take their newly independent phones to another service.
Later, Fahd asked his accomplices in the call centre to install custom malware & “hacking tools that allowed him to unlock phones remotely from Pakistan,” according to court documents.
2m Mobile Phones
The 35-year-old Fahd effectively defrauded AT&T out of more than $200m in lost subscription fees after divorcing nearly 2m mobile phones from the carrier, the DoJ explained.
“Unlocking a phone effectively removes it from AT&T’s network, thereby allowing the account holder to avoid having to pay AT&T for service or to make any payments for purchase of the phone,” it stated.
Recruiting Insider Threats
It all started in the Summer of 2012, when Fahd targeted an AT&T employee through Facebook using the alias “Frank Zhang,” He offered the employee “significant sums of money” in return for taking part in his scheme & asked the person to recruit other AT&T employees to the ring as well.
He also gave instructions on how to launder the bribery money: “Fahd instructed the recruited employees to set up fake businesses & bank accounts for those businesses, to receive payments & to create fictitious invoices for every deposit made into the fake businesses’ bank accounts to create the appearance that the money was payment for genuine services,” according to the US DoJ.
About a year later, in the spring of 2013, things got a little tougher for Fahd & Co. after AT&T implemented a new unlocking system. Undeterred, Fahd hired a software developer to design malware that would allow him to “unlock phones more efficiently & in larger numbers.”
The malware was installed in stealth on AT&T’s own networks, thanks again to the malicious insiders he had recruited.
“At Fahd’s request, the employees provided confidential information to Fahd about AT&T’s computer system & unlocking procedures to assist in this process,” according to the sentencing documents.
“Fahd also had the employees install malware on AT&T’s computers that captured information about AT&T’s computer system & the network access credentials of other AT&T employees. Fahd provided the information to his malware developer, so the developer could tailor the malware to work on AT&T’s computers.”
This kind of access could have been used for different kinds of cyberattacks, such as ransomware or wide-scale espionage efforts, but Fahd’s only goal seemed to be the mobile phone heist. AT&T’s forensic analysis showed that in all, 1.9m phones were unlocked, costing AT&T $200m in potential cellular telephone subscriptions. Accordingly, Fahd was ordered to pay that back as restitution, along with his prison sentence.
A 2015 lawsuit by AT&T against the implicated call-centre workers elaborated a bit on the gambit. The “customer-facing” aspect was run through a shady, now-defunct company called Swift Unlocks, which advertised phone-unlocking services for consumers. When someone requested an unlock, Swift Unlocks would oblige, obtaining the unlock codes using the malware-enabled remote access to AT&T’s systems.
AT&T employees were paid $2k every 2 weeks for facilitating the effort, according to the lawsuit, with 2 of the top participants “earning” $10,500 & $20k respectively. AT&T discovered the malware around Oct. 2013, firing the employees involved. Eventually, the entire operation was traced back to Fahd.
At the sentencing hearing US District Judge Robert S. Lasnik for the Western District of Washington noted that Fahd had committed a “terrible cybercrime over an extended period.”
Fahd was indicted in 2017 & arrested in Hong Kong in 2018. He was extradited & appeared in US District Court in Seattle in Aug. 2019. He pleaded guilty to conspiracy to commit wire fraud last Sept.
Conduit for Fraud
Call-centre & in-store employees continue to provide a conduit for fraud – whether knowingly, as in this case, or unknowingly, as seen in some SIM-jacking efforts. AT&T has had its share of trouble, including facing a $224m legal challenge after store employees were caught in a SIM-swapping ring.