A security researcher allegedly exploited an internal Apple tool to steal millions

A security researcher who reported a flaw to Apple in January has been arrested for defrauding the company of millions of dollars, according to an Apple report. 404 media.


Researcher Noah Ruskin Frazee, along with a co-conspirator, is accused of obtaining more than $3 million in products and services through more than two dozen fraudulent orders. This included about $2.5 million in gift cards and more than $100,000 in “products and services.”

While Apple's name is not explicitly mentioned in Court records, the unnamed “Company A” is located in Cupertino, California, and is clearly Apple. The court stated that one of the perpetrators used gift cards “to purchase Final Cut Pro from Company A's App Store,” and that Apple was the only company selling the software.

In 2019, Frazee and an associate used a password reset tool to access an employee's account belonging to the unnamed “Company B,” which provides customer support for Apple. This account led to access to additional employee credentials, and Frazee was able to access Company B's VPN servers. From there, Frazee was able to enter Apple's systems, and place fraudulent orders for Apple products.

He used Apple's “Toolbox” software that could be used to edit orders after they were placed, changed order values ​​to zero, added products to orders, and extended AppleCare contracts. He abused Apple software from January to March 2019.

The indictment adds that the defendants isolated computers located in India and Costa Rica as part of the scheme. The indictment adds that the fraud itself involved changing order monetary values ​​to zero, adding products to existing orders at no cost such as phones and laptops, and extending existing service contracts. This included extending the customer service contract associated with one of the defendants and his family for an additional two years without payment.

Apple thanked Frazee for that in a Support document for January For finding numerous errors in the macOS Sonoma operating system, the document was published less than two weeks after his arrest. “We would like to thank Noah Roskin-Frazee and Professor J. (ZeroClicks.ai Lab) for their assistance,” Apple’s page says in reference to the Wi-Fi vulnerability.

See also  Google is rolling out the Pixel January 2022 update on Tuesday

Frazee was charged with wire fraud, mail fraud, conspiracy to commit wire fraud, mail fraud, conspiracy to commit computer fraud, and intentional damage to a protected computer. He will be required to forfeit all stolen goods, and could be sentenced to more than 20 years in prison if convicted.

Leave a Reply

Your email address will not be published. Required fields are marked *