Insider Threat – A look at AT&T incident

In a recent expose published by SecureWorld through court documents seen, this issue has suddenly hit the spotlight.

The damning question, can your employees be bought?

Lets look at the reported news on the incident experienced by AT&T Wireless. The A&T& Wireless call center in Bothell, Washington is where this had begun. Call center employees knowingly shared their credentials with the cybercriminal, in exchange for money. According to DOJ based on the indictment documents, one call center employee who made the most had paid “$428,000 over 5 years scheme”.

There were 3 things that the employees did

  1. The employees were instructed to install malware in their machine.
  2. The employees installed unauthorized access points, hardware devices to create a backdoor into the network.
  3. The employees installed a specialized malware that performs phone unlocking through AT&T’s internal network using valid AT&T credentials that were obtained from the call center agents.

The objective of the “intrusion” was to create unlocked phones. Phones that are sold in the US are carrier locked, meaning once the phone is provisioned, only AT&T services can be used on those phones. Having the phones carrier unlocked creates a huge market, selling them on eBay and other online stores.

This begs the question, why would the phones require to be unlocked in the first place? The phones are locked to a carrier because it is subsidized and requires a contract. When a user travels overseas, the phones may require unlocking for roaming purposes, hence unlocking becomes a legal function of the call center.

This racket had netted more than 2 million phones to be unlocked and sold. At the rate of an iPhone price, one can only imagine how much money is there to be made.

According to the official documents, the scheme  began somewhere around 2012, and around October 2013, AT&T discovered the unlocking malware. When questioned, the AT&T staff in question left the organization. The criminals were determined, recruiting new insiders in the same call center on the subsequent year. Recruitment happened through Facebook (surprise, surprise, and not LinkedIn) and the bribes were made in-person. The cybercriminal, known as Muhammad Fahd, is now in jail.

A breakdown of this issue

  • Call center agents sold their access and performed illegal acts in payment for money. Insider threat will remain a key issue, and it becomes a challenging issue to tackle. While a potential solution can be to look at a “lifestyle audit”, getting trustworthy staff will always be a challenge, in a market where skills are limited.
  • Valid access used for illegal activities – this may be potentially addressed by monitoring activities performed with a certain ID. This means that there is sufficient logs in place and systems to correlate and analyze system usage behavior and look at baselining activities to identify anomalies. If someone does extremely too many unblocking, a check on what is actually done is performed. This review process (often slow, painful and most of the time even manual) is usually avoided due to unnecessary workload, though i am sure AT&T would enforce this as a requirement now.
  • Installation of malware – call center agents should never ever have administrative access. Ability to install or run application should be limited, through the use of application whitelisting. However, there will still be an issue of a malicious IT Technician, which may have been possible in this scenario.
  • Installation of access points – rogue access points can be detected with Wireless Intrusion Prevention systems. However, WIPS presents different set of problems, as it may potentially deny the use of wireless due to neighboring building APs having signal spillover, effectively causing a denial of services attack.

Taking the original question into perspective, can employees be bought? The answer to this question is multi-faceted while the technical challenges can be addressed

  1. Getting more money is always appealing to everyone around. Looking at the money being made, a call center agent would have jumped to the occasion because of the sheer amount to be made.
  2. Moral obligation of doing the right thing. In any such cases, you’d hear many reasons why the staff did what he/she did. From the point of making ends meet, to doing something that didn’t hurt anyone, moral standing has always been on shaky grounds.
  3. Economics of organizations also play a part. Income disparity, job satisfaction vs load becomes a talking point. Most call center agents bear the brunt of the customers, and often, even yelled at. Hence call centers become a churning pot for most organization, and those who stay are often resilient, understanding that it is a thankless job.
  4. Making examples – some organizations motivate employees to do the right thing by (1) having a whistleblowing policy to aid reporting and (2) showing examples of action taken against wrong-doing. Denying someone their livelihood has always been a key motivator to do the right thing.

Reference

SecureWorld – https://www.secureworldexpo.com/industry-news/insider-threat-at-att-wireless-activated-by-a-cybercriminal