You are here

AT&T employees took $1M in bribes from phone-unlock gang

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

This week, we learned of a plot to defraud AT&T. The perps, we’re told, illicitly unlocked subsidized phones—about 2 million of them.

The DoJ says it’s extradited the alleged ringleader, who faces up to 20 years in jail. The gang allegedly bribed a bunch of AT&T employees to help them, totaling around $1 million in graft.

Notably, the bribery extended to getting employees to install keylogger malware on AT&T systems. In this week’s Security Blogwatch, we wonder if another shoe will drop.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Boom bang.

[ Get valuable insights to improve your SOC’s maturity and success. Download the 2019 State of Security Operations report today. ]

Ma’s malware malarkey

What’s the craic? Corinne Reichert reports—AT&T workers bribed to infect firm's gear with malware, unlock phones, DOJ alleges:

Millions of AT&T phones were illegally unlocked thanks to bribes taken by company employees to infect the carrier's mobile network with malware … the US Department of Justice alleges. … Muhammad Fahd, a 34-year-old man from Pakistan … was arrested in Hong Kong in February and was extradited to the US over the weekend.

The DOJ alleges that employees at the Bothell, Washington, call center were bribed between April 2012 and September 2017. At first, they were allegedly bribed to unlock Apple iPhones. … Later, they allegedly installed malware on AT&T's network to gather information on proprietary device protections, and still later, malware was installed that automated the unlocking process.

Three co-conspirators have pleaded guilty so far.

Why the switch in tactics? Scott Bicheno adds AT&T employee corruption case revealed:

Apparently this direct approach was soon uncovered by AT&T, which fired those involved, so the defendants then switched to a more indirect approach. They bribed a new lot of AT&T employees to install malware on the network, which they then used to acquire credentials that allowed them to unlock phones directly.

Apparently one AT&T employee alone trousered over $400,000 from all this naughtiness. … It should be noted that there is no suggestion that any of this corruption of AT&T employees involved access to customer data and it certainly seems to have come to a stop now.

AT&T implies it lost some $5 million per year in revenue. So DarkRookie2 musters a mighty “meh”:

Their revenue is $170.756 billion. Boo-hoo.

Boo-who? What would Zeus do? Release the Harry McCracken[You’re fired—Ed.]

If AT&T employees were willing to do this for bribes, it makes you wonder what else they might have done.

Good point. Naturally, there are those who blame low pay and bad working conditions. At which gweihir scoffs thuswise:

No, detecting malware that is under remote control and detecting rogue access points on your internal network is IT security 101. There's no need to blame it on HR or employee feels. This was a massive failure by AT&T's network security group.

But Cory Doctorow reckons the US government is (partly) to blame:

When Congress legalized phone unlocking in 2014, they added a bunch of carve-outs that let phone companies veto your attempt to unlock your phone, with the big one being that you couldn't unlock your phone while you were still in a contract that provided it to you at a reduced price.
 
That meant that you couldn't (for example) unlock your phone so you could use it with a foreign SIM while traveling, or simply continue to pay your bill to the company that sold you the phone while using another company's SIM to get cheaper data or some other desirable service.
 
This created a black market in unauthorized phone unlocking.

Wait. Pause. How could this caper possibly work? In case you’re wondering, DougS has your back:

AT&T like most carriers offer plans where you lease a phone and pay over time, if you're able to unlock them they can break the lease and use/sell the phone overseas. No doubt part of the scheme was using stolen personal information to lease phones for which unlock information was required.

IMEI blacklists aren't shared worldwide, if AT&T puts a phone on the blacklist … it won't stop it from being used outside of North America. I don't believe the US list is shared with Europe, let alone China.

So you obtain a leased phone from AT&T using a stolen credit card number, unlock it, then sell it in China as new – you still have the original packaging and will have hardly touched it. Getting stolen credit cards is easy, finding buyers for iPhones at a discount in China is easy. The hard part is getting them unlocked, but these guys found a way around that – and the market must be pretty lucrative if they thought it was worthwhile to pay AT&T employees $1 million.

Amazingly, phone subsidies are still a thing. jandrese wishes it weren’t so:

Back in the early iPhone days you had to both buy the phone AND get a “subsidized” phone plan from AT&T. And then after two years when the phone was supposedly paid off, the rate stayed exactly the same.

The only way to change the plan was to buy an entirely new phone. I’ve never been an AT&T customer since, nor will I ever be.

Meanwhile, Edwin just laughs:

One of the few cases where I'm cheerfully saying "ha ha" at both the "victim" and the perp. 'Cause they're all criminals.

The moral of the story?

Insider threats come in many forms. How bribable are your employees?

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

And finally

Boom Bang


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Maklay62 (Pixabay)

[ Data privacy regs GDPR and CCPA are the new norm. Learn best practices from top organizations for staying on the right side of the law. ]