A cybersecurity researcher and an accomplice are facing charges in California after being accused of defrauding a major corporation, suspected to be Apple, of $2.5 million in gift cards and hardware. Noah Roskin-Frazee and Keith Latteri are alleged to have accessed Apple’s systems through a third-party contractor and then sold the stolen goods to third parties, ultimately defrauding both Apple and the customer support business it contracted with.
While Apple was not explicitly named in the recently unsealed court papers, the description of “Company A” as a corporation headquartered in Cupertino, California, strongly suggests it is Apple. The indictment describes “Company A” as a corporation that develops, manufactures, licenses, supports, and sells computer software, consumer electronics, personal computers, and services.
During the investigation, it was revealed that one of the defendants redeemed a stolen gift card to their personal app store account and used it to purchase Final Cut Pro, a software developed by Apple that only runs on Apple hardware. This suggests a direct connection between the stolen goods and the accused individuals.
The pair were able to order the gift cards and hardware by gaining access to key Apple backend systems, including a Log Program that allows customer support to search for Apple products, a Toolbox program that allows edits to orders, and a Jamf MDM platform for making configuration changes to Apple devices.
The scam involved gaining access to the contractor’s systems using a password reset tool, then using that compromised account to obtain credentials for other staff accounts, including those with access to the company’s VPN servers. Once connected to the contractor’s VPN, the defendants were able to access the company’s remote desktop software, ultimately gaining access to “Company A’s Connect application” and taking control of the Toolbox to manipulate orders.
The accused individuals and their family members allegedly made more than two dozen orders through Apple, using fake names and email addresses. They then used the Toolbox to make critical amendments to the orders, including extending service contracts, adding more products to the orders, and changing all prices to zero. They also used transshipment companies to ship the products while concealing their addresses, further attempting to hide their identities.
In an interesting turn of events, Apple acknowledged the security researcher and his colleague for reporting a bug affecting macOS Ventura in December 2023, just one day before Roskin-Frazee’s indictment. This created a rare oddity in the world of cybercrime, where an alleged criminal was thanked for ethical research after being accused of defrauding the very same company. Additionally, the security researcher was credited with finding a denial of service vulnerability impacting iOS and iPadOS earlier in July 2023, indicating his legitimate involvement in security research.
Neither Apple nor the lawyers for Roskin-Frazee and Latteri immediately responded to requests for comment regarding the case.