AT&T Employees Plant Malware in Exchange For Money

Two men bribed several AT&T employees to install installed malware and unauthorized devices on the company’s network in their phone unlocking scheme. Their entire operation lasted several years and was run out three companies: Endless Trading FZE, Endless Connections Ince, and iDevelopment. This scheme cost AT&T more than $5million in lost revenue.

The Department of Justice (DOJ), charged 34-year old Pakistani man, Muhammad Fahd for committing the bribery.  Fahd, worked with his partner Ghulam Jiwani in this malicious act; Jiwani is believed to have passed away.

The men have been operating this malicious scheme from April 2012 to September 2017. Since the start of the operation they paid over $1 million in bribes to employees at AT&T’s Mobility Customer Care call center in Bothell, Washington. One employee was even paid $428,500 over the course of five years. Furter, they managed to successfully unlock more than two million devices.

The operation began with the men reaching out to AT&T employee over Facebook messages and telephone calls. The men enticed the employees to unlock expensive phones, like iPhones. Unlocking phones meant that they could operate outside AT&T’s network, therefore, the men could sell the phones. According to court documents released by DOJ, unlocking the phones “deprived AT&T of the stream of payments that were due under the service contracts and installment plans”.

After unlocking the devices, employees were wired money to their bank accounts. This lasted for one year, until about April 2013, when employees began leaving the company or were fired. The men then changed methodologies of infiltration into AT&T’s network.  They bribed AT&T employees to install malware on the network at the call center. This malware, a keylogger,  collected information on AT&T’s infrastructure for seven months. This information included confidential and proprietary data on the structure of AT&T’s internal computers and applications.

After getting a lay of the land, the men than created a second malware. This malware used employee credentials to automatically begin unlocking phones, without the interaction of AT&T employees each time.

After some time, the men began to lose control of this second strain of malware. They again began bribing employees, but this time to install rogue wireless access points in the call center. The devices gave the men greater insight into the network and continued to facilitate in the phone unlocking.

It is unsure if the men were selling the unlocking phones or providing unlocking services to people. However, their email address,, suggests they were providing services.

Fahd was arrested early this year in Hong Kong and then extradited to the US last week. He is now facing the possibility of 20 years behind bars. According to the DOJ:

“MUHAMMAD FAHD is charged with conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act”



Contact LIFARS immediately if your organization was breached