Cyber Heist Comedy: Duo Siphons $2.5M in Apple-esque Scam, Still Scores a Bug Bounty Thank You

In a twist of iRony, two cybersecurity researchers allegedly harvested a $2.5 million bounty from Apple’s tech orchard. Roskin-Frazee and Latteri’s scheme? Exploiting a third-party contractor’s access—gift card galore, hardware hauls, and a zero-dollar shopping spree. Cupertino’s heist movie, now playing in the courtrooms. Focus keyphrase: “cybersecurity researchers defraud Apple.”

Hot Take:

When life gives you lemons, you make lemonade, right? Well, when life gives you access to Apple’s backend, you apparently go on a $2.5 million shopping spree—at least that’s what our two cyber-savvy protagonists thought was the best use of their “apple picking” skills. I guess they missed the memo that Apple’s terms and conditions don’t include a “steal now, pay never” clause. Oops!

Key Points:

  • Noah Roskin-Frazee and Keith Latteri allegedly tapped into Apple’s systems via a third-party contractor, snatching gift cards and gear worth millions.
  • The dynamic duo sold the ill-gotten digital goodies to make it rain real cash, leaving Apple and its contractor in a financial drought.
  • The court documents are playing coy with Apple’s identity, but let’s be real, “Company A” is as subtle as a neon sign flashing “Bitten Fruit Logo Here”.
  • These modern-day digital Robin Hoods used some clever tricks and scripts to keep the heist going from December 2018 to March 2019.
  • Irony alert: Roskin-Frazee, one of the alleged Apple pickpockets, was actually thanked by Apple for pointing out security bugs in their systems. Talk about biting the hand that feeds you!
Apple fraud scheme
Cve id: CVE-2023-42894
Cve state: PUBLISHED
Cve assigner short name: apple
Cve date updated: 12/12/2023
Cve description: This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2. An app may be able to access information about a user's contacts.

Cve id: CVE-2023-38593
Cve state: PUBLISHED
Cve assigner short name: apple
Cve date updated: 07/27/2023
Cve description: A logic issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may be able to cause a denial-of-service.

Need to know more?

The Great Apple Heist

Imagine casually strolling into the digital equivalent of Fort Knox and walking out with millions in gift cards and hardware. That's what Roskin-Frazee and Latteri are accused of doing, and they didn't even need a horse and mask. The indictment papers might as well have been titled ""How to Steal from Apple 101"", but I'm guessing they won't be using that as their defense.

The Art of Digital Disguise

These guys were not just about smash and grab; they had finesse. They used their tech prowess to make a reverse SSH tunnel their getaway car and remote desktop software their mask. And just when their first fake account got busted, they pulled a Houdini and disappeared, only to reappear under the guise of another shipping company. Crafty!

When Cybercriminals Moonlight as Ethical Hackers

Here's the kicker: as Roskin-Frazee was allegedly playing the villain in Apple's cybersecurity saga, he was also donning the cape of a cybersecurity hero, reporting bugs like a good Samaritan. That's like robbing a bank and then coming back to tell them their vault door squeaks. It's a confusing world out there, folks!

Apple's Not Falling Far from the Irony Tree

Apple must have had a facepalm moment when they realized they'd sent a thank you note to one of the guys who allegedly treated their systems like an all-you-can-eat buffet. It's like thanking someone for telling you there's a hole in your fence when they've been using it to smuggle out your cows.

The Silent Treatment

Meanwhile, Apple and the accused's lawyers are as quiet as teenagers when asked about their homework. No comments, no statements, just the sound of keyboards typing up defense strategies—or maybe rewriting their security protocols. We'll just have to wait and see who breaks the silence first.

And there you have it, folks, a tale of tech, treachery, and the tantalizing thrill of a cyber heist. Remember, while cyber skills can be a force for good, they can also land you in a courtroom faster than you can say ""uncle"".