AT&T Phone-Unlocking Malware Ring Costs Carrier $200M

With the help of malicious insiders, a fraudster was able to install malware and remotely divorce iPhones and other handsets from the carrier’s U.S. network — all the way from Pakistan.

The ringleader of a seven-year phone-unlocking and malware scheme will head to the clink for 12 years, according to the Department of Justice, after effectively compromising AT&T’s internal networks to install credential-thieving malware.

The perp, one Muhammad Fahd of Pakistan and Grenada, was convicted of grooming AT&T employees at a Bothell, Wash. call center to take part in the scam. He and his now-deceased co-conspirator bribed employees to first use their AT&T credentials to sever phones from the AT&T network for customers who were still under contract — meaning those customers could take their newly independent phones to another service. And then later, Fahd asked his accomplices in the call center to install custom malware and “hacking tools that allowed him to unlock phones remotely from Pakistan,” according to court documents.

In all, the 35-year-old Fahd effectively defrauded AT&T out of more than $200 million in lost subscription fees after divorcing nearly 2 million mobile phones from the carrier, the DoJ explained.

Infosec Insiders Newsletter

“Unlocking a phone effectively removes it from AT&T’s network, thereby allowing the account holder to avoid having to pay AT&T for service or to make any payments for purchase of the phone,” it said.

Recruiting Insider Threats

It all started in the summer of 2012, when Fahd targeted an AT&T employee through Facebook using the alias “Frank Zhang,” He offered the employee “significant sums of money” in return for taking part in his scheme, and asked the person to recruit other AT&T employees to the ring as well.

He also gave instructions on how to launder the bribery money: “Fahd instructed the recruited employees to set up fake businesses and bank accounts for those businesses, to receive payments and to create fictitious invoices for every deposit made into the fake businesses’ bank accounts to create the appearance that the money was payment for genuine services,” according to the DoJ.

About a year later, in the spring of 2013, things got a little tougher for Fahd & Co. after AT&T implemented a new unlocking system. Undeterred, Fahd hired a software developer to design malware that would allow him to “unlock phones more efficiently and in larger numbers.” The malware was installed in stealth on AT&T’s own networks, thanks again to the malicious insiders he had recruited.

“At Fahd’s request, the employees provided confidential information to Fahd about AT&T’s computer system and unlocking procedures to assist in this process,” according to the sentencing documents. “Fahd also had the employees install malware on AT&T’s computers that captured information about AT&T’s computer system and the network access credentials of other AT&T employees. Fahd provided the information to his malware developer, so the developer could tailor the malware to work on AT&T’s computers.”

Of course, this kind of access could have been used for different kinds of cyberattacks, such as ransomware or wide-scale espionage efforts, but Fahd’s only goal seemed to be the mobile phone heist. AT&T’s forensic analysis showed that in all, 1.9 million phones were unlocked, costing AT&T $200 million in potential cellular telephone subscriptions. Accordingly, Fahd was ordered to pay that back as restitution, along with his prison sentence.

A 2015 lawsuit by AT&T against the implicated call-center workers elaborated a bit on the gambit. The “customer-facing” aspect was run through a shady, now-defunct company called Swift Unlocks, which advertised phone-unlocking services for consumers. When someone requested an unlock, Swift Unlocks would oblige, obtaining the unlock codes using the malware-enabled remote access to AT&T’s systems.

AT&T employees were paid $2,000 every two weeks for facilitating the effort, according to the lawsuit, with two of the top participants “earning” $10,500 and $20,000 respectively. AT&T discovered the malware around October 2013, firing the employees involved. Eventually, the entire operation was traced back to Fahd and

At the sentencing hearing U.S. District Judge Robert S. Lasnik for the Western District of Washington noted that Fahd had committed a “terrible cybercrime over an extended period.”

Fahd was indicted in 2017 and arrested in Hong Kong in 2018. He was extradited and appeared in U.S. District Court in Seattle in August 2019. He pleaded guilty to conspiracy to commit wire fraud last September.

Call-center and in-store employees continue to provide a conduit for fraud – whether knowingly, as in this case, or unknowingly, as seen in some SIM-jacking efforts. AT&T has had its share of trouble, including facing a $224 million legal challenge after store employees were caught in a SIM-swapping ring.

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.


Suggested articles