AT&T employees took bribes to plant malware on the company’s network

AT&T employees took bribes to unlock millions of smartphones, and to install malware and unauthorized hardware on the company’s network, the Department of Justice said yesterday.

These details come from a DOJ case opened against Muhammad Fahd, a 34-year-old man from Pakistan, and his co-conspirator, Ghulam Jiwani, believed to be deceased.

The DOJ charged the two with paying more than $1 million in bribes to several AT&T employees at the company’s Mobility Customer Care call center in Bothell, Washington.

Operating since 2012

The bribery scheme lasted from at least April 2012 until September 2017. Initially, the two Pakistani men bribed AT&T employees to unlock expensive iPhones so they could be used outside AT&T’s network.

The two recruited AT&T employees by approaching them in private via telephone or Facebook messages. Employees who agreed, received lists of IMEI phone codes which they had to unlock for sums of money.

Employees would then receive bribes in their bank accounts, in shell companies they created, or as cash, from the two Pakistani men.

This initial stage of the scheme last for about a year, until April 2013, when several employees left or were fired by AT&T.

The malware stage

That’s when Fahd changed tactics and bribed AT&T employees to install malware on AT&T’s network at the Bothell call center. Between April and October 2013, this initial malware collected data on how AT&T infrastructure worked.

According to court documents unsealed yesterday, this malware appears to be a keylogger, having the ability “to gather confidential and proprietary information regarding the structure and functioning of AT&T’s internal protected computers and applications.

The DOJ said Fahd and his co-conspirator then created a second malware strain that leveraged the information acquired through the first. This second malware used AT&T employee credentials to perform automated actions on AT&T’s internal application to unlock phone’s at Fahd’s behest, without needing to interact with AT&T employees every time.

In November 2014, as Fahd began having problems controlling this malware, the DOJ said he also bribed AT&T employees to install rogue wireless access points inside AT&T’s Bothell call center. These devices helped Fahd with gaining access to AT&T internal apps and network, and continue the rogue phone unlocking scheme.

One AT&T employee made $428,500

The DOJ claims Fahd and Jiwani paid more than $1 million in bribes to AT&T employees, and successfully unlocked more than two million devices, most of which were expensive iPhones. One AT&T employee received more than $428,500 in bribes over a five year period, investigators said.

The DOJ said the two operated three companies named Endless Trading FZE, Endless Connections Inc., and iDevelopment. The DOJ didn’t say if Fahd and Jiwani were unlocking stolen devices, or running a unauthorized phone unlocking website. For some email communications, Fahd used the unlockoutlt@ymail.com address, suggesting the latter scenario.

Fahd was arrested in Hong Kong in February 2018, and extradited to the US on August 2, last week. He now faces a litany of charges that may send him behind bars for up to 20 years.

AT&T estimated it lost revenue of more than $5 million/year from Fahd’s phone unlocking scheme.

“We have been working closely with law enforcement since this scheme was uncovered to bring these criminals to justice and are pleased with these developments,” an AT&T spokesperson told ZDNet. The company said this incident did not involve access to customers’ personal data.

Updated shortly after publication, at 10:50am ET, with comment from AT&T.

Related malware and cybercrime coverage: