Security News > 2022 > August > Ex-T-Mobile US store owner phished staff, raked in $25m from unlocking phones
A now-former T-Mobile US store stole at least 50 employees' work credentials to run a phone unlocking and unblocking service that prosecutors said netted $25 million.
Argishti Khudaverdyan, 44, of Burbank, California, was found guilty of 14 criminal charges [PDF] by a US federal jury on Friday.
According to the Dept of Justice, Khudaverdyan co-owned a T-Mobile US store in Los Angeles, operating as a business called Top Tier Solutions, for about five months in 2017.
The emails, which looked like legitimate T-Mobile US correspondence, contained links to phony websites that Khudaverdyan controlled.
According to the DoJ, Khudaverdyan and his criminal associates stole more than 50 credentials from T-Mo employees across the US, and they used that info to login into T-Mo internal systems and unlock and unblock "Hundreds of thousands" of phones for paying customers.
PS: Looking through the court documents we spotted that at least one of the web-based unlocking systems provided to T-Mobile US representatives had no authentication on it: it simply checked to see if the user was connecting in from an allow-listed IP address.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/08/03/tmobile_unlock_prison_phone/