Cyber Security

Bribed AT&T Employees Scam Millions

 August 17, 2020

By  Anton Kiorolgo

Select AT&T employees working at AT&T’s Mobility Customer Care Center in Bothell, Washington have been found to have accepted bribes worth millions in total to unlock millions of smartphones, as well as to install malware and unlicensed hardware on the company network, according to a Department of Justice (DOJ) suit.

Bribed AT&T Employees Scam Millions

According to the indictment released by the Department of Justice (DOJ) “Fahd recruited and paid AT&T insiders to use their computer credentials and access to disable AT&T’s proprietary locking software that prevented ineligible phones from being removed from AT&T’s network.”

The Department of Justice (DOJ) has charged multiple individuals with bribery, intentional damage, and wire fraud among other charges.

Part of the investigation revealed that one employee at AT&T received more than $400,000 in bribes over the duration of the con.

The cyber scheme occurred from April 2012 until September 2017.

Bootstrapping Operations

The cyberattack began innocently enough in April 2012, with two Pakistani men bribing AT&T employees to unlock iPhones so that they could operate outside of AT&T’s network. (An action known as Jailbreaking – a rather routine scam operation.) In some contracts where cell phones were priced below-retail, customers were able to receive steep unauthorized discounts. Phones are generally released legally after payment plans are fully paid, allowing the user to take the device to any carrier they wish. The DOJ indictment of Fahd noted that AT&T may not be able to receive all payments, should a device be taken off of their network prematurely. Surprisingly enough, the process of unlocking a phone from the AT&T network was relatively simple, only requiring an AT&T employee to enter the device’s IMEI code.

The indictment states: “Unlocked phones were a valuable commodity because they could be resold and used on any other compatible network around the world… When phones were unlocked fraudulently without AT&T’s authorization and customers switched service to other carriers, the fraudulent transactions deprived AT&T of the stream of payments that were due under the service contracts and installment plans,”

The fraud began with two employees directly recruited via telephone and Facebook messenger (instant) messages. The two employees were promised rewards for unlocking IMEI phone codes. The rewards were generally financial bribes.

The bribed employees would receive these financial bribes as cash, direct deposited into fake (shell) companies they had created for the sake of channeling funds from the scheme, or direct deposited into their personal bank accounts.

The first wave of the cyberattack lasted for around a year. By April 2013, some of the employees involved had either left, been let go, or were fired by AT&T. With few connections into the company, the two cybercriminals faced a challenge, but weren’t finished.

Changing Tactics

Starting between April and October 2013, Fahd began to instruct bribed AT&T employees to install malware on their company workstations. The malware was a keylogger, able to collect information on clicks and keystrokes. The malware allowed Fahd to gain insight on how AT&T’s software worked, providing him and his criminal sidekicks a map of the network.

From there, Fahd and his coconspirators invented a second malware strain which utilized the information gained through the first. This strain AT&T login credentials to automate certain actions on internal AT&T software to unlock phones without needing to interact with AT&T employees – Fahd no longer needed AT&T employees to enter the IMEI codes manually to release each phone.

In November 2014, Fahd began to lose control of his malware, partially due to the fact that AT&T had caught some of the software. To compensate for this challenge, he began to bribe AT&T employees to install wireless access points inside the call center – they allowed Fahd to gain access to the call center’s network internally, moving through it as if he were a virus. Fahd was able to direct the criminal traffic through the illegal equipment, keeping the illegal activities a secret.

Big Bills

AT&T began investigating internally. Three employees were initially prosecuted for installing Fahd’s malware. The investigation was launched due to the large number of phone unlocking operations beginning in October 2013, signaling an issue.

It was only after AT&T began filing the three lawsuits against former employees that the Department of Justice (DOJ) became involved.

The Department of Justice (DOJ) performed their own investigation into the two Pakistani men. The two men were revealed to own three companies – Endless Trading FZE, Endless Connections Inc., and iDevelopment. However, these three companies were only business fronts for the true scam operation, SwiftUnlocks, a website that allowed users to jailbreak their iPhones, taking them off their carrier network.

The Department of Justice (DOJ) discovered that in total, SwiftUnlocks successfully jalbroke over two million devices from their carrier networks, including AT&T.

AT&T’s estimations came to a revenue loss of $5 million per year. AT&T’s internal investigation claims that no customer records such as social security numbers, payment information, or addresses were ever compromised.

Want to join in the conversation? Talk with us on social media!

Facebook: https://www.facebook.com/secfirstit/

LinkedIn: https://www.linkedin.com/company/securityfirstit

Hashtags: #smallbusiness #smallbusinesssecurity #MSPs #MSPSecurity #workingfromhome #internetsecurity #ITSecurity

Lawsuits and Arrests

Three former AT&T representatives have agreed to pay the scammed funds back to AT&T as party of their guilty plea. Marc Sapatin agreed to pay $441,500 in an October 2018 plea agreement. Kyra Evans agreed to pay restitution of $280,200, and DeVaughn Woods agreed to pay $155,032. They may also face prison time. While these three former employees may be the highest profile individuals in the suit, the DOJ alleges that there are other employees who were part of the scam. They had varying levels of involvement, going from simply identifying others who could be bribed to entering device IMEI numbers.

Fahd, one of the two men spearheading the operation, was arrested in Hong Kong in February of 2018, and extradited to the US. He faces a total time in prison of 20 years.

  • Conspiracy to violate the Travel Act
  • Conspiracy to violate the Computer Fraud and Abuse Act
  • (x4) Wire fraud
  • (x2) Accessing a protected computer in furtherance of fraud
  • (x2) Intentional damage to a protected computer
  • (x4) Violation of the Travel Act

Fahd’s co-ringleader, Ghulam Jiwani, was also charged and arrested at the same time, however, he died before being extradited to the United States, according to court documents.

Other conspirators are known but have yet to be charged. This includes some AT&T employees who were not caught.

Having trouble finding trustworthy IT support?

Please contact us to schedule a consultation.

Subscribe to our newsletter now!