Cybercrime duo accused of picking $2.5M from Apple’s orchard

A cybersecurity researcher and his pal are facing charges in California after they allegedly defrauded an unnamed company, almost certainly Apple, out of $2.5 million.

Noah Roskin-Frazee and Keith Latteri are alleged to have gained access to Apple’s systems via a third-party contractor and ordered gift cards and hardware to the value of $2.5 million and $100,000 respectively.

They are then said to have sold their stolen wares to third parties, cashing out on their theft and defrauding both Apple and the customer support business it contracted out of millions.

While Apple isn’t explicitly named in the recently unsealed court papers, it’s not difficult to deduce that the identity of “Company A,” as written in the indictment, is the consumer tech megacorp.

“Company A was a corporation headquartered in Cupertino, California, which developed, manufactured, licensed, supported, and sold computer software, consumer electronics, personal computers, and services,” the indictment reads, describing Company A. Seems pretty Apple-y so far.

Looking deeper into the case background, it’s also revealed that one of the defendants redeemed one of the stolen gift cards to their personal app store account, where they purchased Final Cut Pro – software developed by Apple that only runs on Apple hardware.

Roskin-Frazee and Latteri were able to order the glut of gift cards and hardware because they had access to a number of key Apple backend systems.

One of these is a Log Program that allows customer support to search Apple products and order replacements. Another is the Toolbox program which allows customer support staff to edit orders for a limited time after they’re made.

The final important system at play here is the Jamf MDM platform, which is operated by the third-party contractor and allows configuration changes to be made to Apple devices, but that’s not what it was used for in this case.

How the scam unfolded

The first port of call was gaining access to the contractor’s systems. The pair allegedly did this by using what the court papers [PDF] describe as a password reset tool on a targeted account. From there, the pair used that first compromised account to unearth credentials for other staff accounts that, crucially, also had credentials for the company’s VPN servers.

Once connected to the customer support contractor’s VPN, they could also access the company’s remote desktop software, which they used to control computers owned by the contractor that were located in India and Costa Rica. The contractor’s Jamf MDM platform was used to access these computers and log them into desktop sharing sessions.

Malicious scripts were run to create a reverse SSH tunnel between the Indian and Costa Rican computers and the accused’s Microsoft Azure account, which allowed continued remote access between around December 2018 and March 2019.

These remotely operated computers, run using the contractor’s legitimate credentials and VPN server, were used to gain access to what the court documents describe as “Company A’s Connect application,” which is probably Apple’s App Store Connect. With this access, Roskin-Frazee and Latteri were able to take control of Toolbox and manipulate orders, it is alleged.

After the pair and their family members, using fake names and email addresses, placed more than two dozen orders through Apple, Roskin-Frazee and Latteri allegedly used Toolbox to make critical order amendments during the short window of opportunity. These included extending existing service contracts, adding more products to the orders, and changing all prices to zero.

Transshipment companies Shipito LLC and Amboy Technologies LLC were used to ship the products while concealing the pair’s addresses – another means of hiding their identities. Amboy was the first port of call, but the fake account the pair created with the company was terminated due to fraud concerns. However, they later allegedly had more success using Shipito.

Apple says ‘thanks’?

Funnily enough, in a December 2023 security update – published one day before Roskin-Frazee’s indictment – Apple acknowledged the security researcher, and his colleague “Prof. J.” of ZeroClicks Lab, for reporting a bug affecting macOS Ventura that could have allowed an app to access data from a user’s contacts.

The issue is tracked as CVE-2023-42894 – not the most serious bug in the world but serves as a rare oddity in the world of cybercrime where it’s highly unusual for an alleged criminal to be thanked for ethical research after they had spent months allegedly defrauding the very same company years earlier.

Roskin-Frazee was also solely credited with the finding of CVE-2023-38593, a denial of service vulnerability impacting iOS and iPadOS earlier in July 2023.

Roskin-Frazee was a legitimate, recognized security researcher who had also led talks at conferences such as ISACA’s Digital Trust World Europe Conference in Dublin last year.

Neither Apple nor the lawyers for Roskin-Frazee and Latteri immediately responded to requests for comment. ®

READ MORE HERE