reported that a security researcher who reported a bug to Apple was arrested in January on charges of defrauding the company of millions of dollars. 404 Media.
Researcher Noah Roskin Frazee was charged along with co-conspirators who obtained more than $3 million in products and services through more than 20 fraudulent orders. That included about $2.5 million in gift cards and more than $100,000 in “products and services.”
Although Apple's name is not explicitly mentioned in court records, an unnamed “Company A” located in Cupertino, California, is clearly Apple. The court noted that one of the perpetrators used the gift card to “purchase Final Cut Pro on Company A's App Store,” and that Apple is the only company selling the software.
In 2019, Frazee and his accomplices used a password reset tool to access employee accounts at an unnamed Apple customer support company, Company B. This account gave Frazee access to additional employee credentials and allowed Frazee to access her VPN server at Company B. From there, Frazee was able to hack into her Apple systems and fraudulently order Apple products.
He used Apple's “Toolbox” program, which allows him to edit orders after placing them, changing the order amount to zero, adding products to the order, and extending his AppleCare contract. He abused Apple's programs from January to March 2019.
As part of the scheme, the defendants remotely connected to computers in India and Costa Rica, the indictment added. The fraud itself included changing order amounts to zero, adding products such as phones and laptops to existing orders for free, and extending existing service contracts, the indictment added. This included extending a customer service agreement with one of the defendants and his family for an additional two years without payment.
Apple thanked Frazee for discovering several bugs in macOS Sonoma in a January support document, published less than two weeks after his arrest. “We would like to thank Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their help,” Apple's page states regarding the Wi-Fi vulnerability.
Frazee is charged with wire fraud, mail fraud, conspiracy to commit wire and mail fraud, conspiracy to commit computer fraud and abuse, and intentional damage to a protected computer. He was asked to forfeit all stolen merchandise and could be sentenced to more than 20 years in prison if convicted.
