Last week the former owner of a T‑Mobile store in California was found guilty of stealing login credentials from over 50 T‑Mobile employees and using them to unlock and unblock handsets across a 5-year period. Argishti Khudaverdyan’s illegal service was advertised as offering ‘official’ T‑Mobile unlocks via brokers, email campaigns and the unlocks247.com website. Khudaverdyan generated USD25mn in revenue from the unlocking and unblocking of several hundred thousand mobile phones.
Khudaverdyan succeeded in gaining unauthorized access to T‑Mobile’s systems by sending phishing emails to T‑Mobile employees that looked like bona fide correspondence, encouraging the unwary to submit their details so Khudaverdyan could harvest the information. He also worked with accomplices in overseas call centers to obtain personal data about T‑Mobile employees as part of a process of systematically working his way through the company hierarchy until he found targets that had access to the relevant corporate systems. Khudaverdyan would then exploit the personal data he had gathered by calling the T‑Mobile IT Help Desk and manipulating them into resetting passwords.
For 6 months Khudaverdyan was also one of the owners of Top Tier Solutions Inc, a T‑Mobile store in Eagle Rock, a neighborhood in the Los Angeles metropolitan area. However, it appears that he treated this business venture as subordinate to his illegal enterprise, which had begun over two years earlier. T‑Mobile terminated Khudaverdyan’s contract in June 2017 because of the suspicious way he used computer systems. Earlier this year Top Tier Solutions co-owner Alen Gharehbagloo pled guilty to associated charges of fraud, money laundering and accessing computers with the intent to defraud. Khudaverdyan’s sentence hearing will take place in October, where he will receive at least a two year prison sentence for aggravated identity theft and could potentially receive sentences of up to 20 years for each count of fraud and money laundering.
I have written before about telcos needing to do more to mitigate the risk that employees will fall victim to phishing and social engineering. Whilst it is sensible to warn customers about the dangers of scams, there often appears to be a subconscious desire to solely associate scammers and hackers with widespread attacks on customers despite the greatest threat coming from highly targeted attacks on insiders who have privileged access to systems and data. Some of the people I see giving advice to telcos about crime prevention are ignorant of basic requirements for security hygiene, as evident from the way they conduct their own business and their inability to adapt when challenged about those weaknesses. Too often I see telco employees receiving advice about security that is on a par with that given to customers when it should be much more stringent.
The prosecutors’ press release about Khudaverdyan and his conviction can be found here.