[BreachExchange] Pakistani Man Bribed AT&T Employees to Unlock Phones, Plant Malware

Destry Winant destry at riskbasedsecurity.com
Thu Aug 8 09:55:31 EDT 2019


A Pakistani national has been charged by U.S. authorities for his role
in a scheme that involved bribing employees of telecommunications
giant AT&T to help unlock phones and plant malware on the company’s

The suspect, Muhammad Fahd, 34, was arrested in Hong Kong in February
2018 and he was extradited to the United States on August 2, 2019.

According to the Justice Department, Fahd led a conspiracy that
involved bribing AT&T employees working at a call center in Bothell,
Washington, to get them to unlock cell phones associated with
specified international mobile equipment identity (IMEI) numbers.

Mobile carriers often sell phones at a discounted price, but require
the buyer to stay on their network. However, these devices can be
unlocked based on their IMEI number.

The man allegedly paid bribes totaling roughly $1 million — $428,000
was paid to a single insider over a five-year period — to have over 2
million devices fraudulently unlocked.

AT&T employees were also paid to plant malware and hardware on AT&T’s
network that would allow Fahd to unlock phones remotely.

“Muhammad Fahd sent the insiders multiple versions of the unlocking
malware to test and perfect the malware on behalf of the conspiracy,”
reads an indictment unsealed on Monday. “Once the malware was
perfected, Muhammad Fahd instructed the insiders to plant the
unlocking malware on AT&T’s internal protected computers and to run
the unlocking malware while they were at work. The unlocking malware
used valid AT&T network credentials that belonged to co-conspirators
and others, without authorization, to interact with AT&T’s internal
protected computer network and process automated unauthorized unlock
requests submitted from an external server.”

Investigators believe the scheme started in 2012 and ran until 2017,
despite the fact that AT&T discovered the malware and identified
several insiders in October 2013. While those insiders left the
company following AT&T’s investigation, Fahd recruited new people the
next year.

The suspect is said to have contacted the insiders over phone or
Facebook, and instructed them to get pre-paid phones and anonymous
email accounts for communications. He also instructed them to create
shell companies for receiving payments.

The indictment names both Fahd and Ghulam Jiwani, who authorities say
is now deceased.

Fahd has been charged with conspiracy to commit wire fraud, conspiracy
to violate the Travel Act and the Computer Fraud and Abuse Act, wire
fraud, accessing a protected computer in furtherance of fraud,
intentional damage to a protected computer, and violating the Travel
Act. He faces up to 20 years in prison.

More information about the BreachExchange mailing list