Fraud-as-a-Service Storefront Treyshop Exposed

Allure Security recently discovered treyshop[.]cc – a fraud-as-a-service operation’s e-commerce storefront – exposed on the internet. The fraud-as-a-service business model has been around for ages, what’s novel in this case is the adversary’s brazenness (or negligence) in so openly hawking stolen PII, step-by-step fraud instructions, account credentials, and payment card information.

The fraudster also makes a Telegram channel publicly available via preview that gives inventory updates, announces pricing promotions, and shares alleged customers’ photos and videos showing the spoils resulting from buying and using the shop’s products.

With this article we aim to give people a closer look at some aspects of an active fraud-as-a-service operation in the wild.

At a glance: [jump links to each section]:

Screenshot of treyshop[.]cc homepage

A screenshot of the Treyshop homepage offering for sale stolen account credentials and associated payment account information for a variety of retail and other brands.

What is Fraud-as-a-Service?

Fraud-as-a-service offerings include some combination of products and services such as tools, data, and guidance that facilitate the execution of fraud by others. The “as-a-service” suffix means that the purchasers of this service need not be experts in fraud to defraud others. In many cases, without such operations’ services, it’s likely many of their customers would not have the knowledge or tools needed to successfully pull off a scam.

Fraud-as-a-service providers lower the barrier of entry for fraudsters, which makes it possible for more fraudsters to commit more fraud. Such services contribute to or exacerbate increasing fraud rates. In its Internet Crime Complaint Center (IC3) Annual Report, the FBI  reported a 10% increase in fraud complaints and a 22% increase in fraud losses in 2023 compared to 2022. 

What does Treyshop have to do with Fraud-as-a-Service?

At the least, Treyshop is an e-commerce storefront used by a fraud-as-a-service operation to distribute stolen data and fraud guides and tools to other fraudsters. 

For example, Treyshop also has a product listing for its Email Bomber tool and some other products require the use of an Email Bomber-like tool. True to its name, Email Bomber facilitates email bombing, a form of denial-of-service that sends an overwhelming amount of emails to the targeted address. In this context, one purpose of such a tool is to overwhelm the email address owner with messages in hopes that the recipient won’t notice email notifications of potential fraudulent activity on their account.

Another tool mentioned in a number of Treyshop product descriptions is an OTP or one-time password bot – BIGFATOTPBOT in particular. OTPs are a form of additional user authentication. An OTP is typically a numeric code sent via SMS or generated by an authenticator app and used to log in to an account. An OTP bot facilitates fooling a fraudster’s victim into divulging their OTP code. It’s not exactly clear whether BIGFATOTPBOT is a Treystore product or a partner.

LOOKUP BOT is another tool mentioned in product descriptions, which allegedly fraudsters can use to verify victims’ Social Security numbers.

Typically, fraudsters sell these services in a more stealthy manner such as on the dark web. If we define the dark web as online content requiring special tools to access and the deep web as content that search engines don’t index, then treyshop[.]cc resides in the deep web. For example, if you search “treyshop” on Google, you won’t find the .cc site itself but among other results, you’ll find a related TikTok account, reviews on TrustPilot, and a few scam rap songs and videos referencing it.

Treyshop review on Trustpilot

One-star review of Treyshop[.]cc on Trustpilot

Sidebar: What is Scam Rap?

PC or mobile [expletive] it really don’t matter / Treyshop dot cc gonna make your pockets fatter

A subgenre of hip-hop called scam rap takes its name based on songs’ lyrics including tutorials for committing various types of fraud. One song released around the time we suspect Treyshop[.]cc went live at the end of August 2023, was “Treyshop Put Me On.” The performer wastes no time starting the song with “I just caught two Windstreams off of Treyshop.” Windstream is a telecommunications provider headquartered in Arkansas and “catching two” could mean taking over two email accounts and/or mobile phone service accounts. 

Another song called simply “Treyshop” rhymes “PC or mobile [expletive] it really don’t matter,” with, “Treyshop dot cc gonna make your pockets fatter.” The song also walks through a fraud scheme enabled by a stolen Instacart account and the performer advises “Turn noties [sic] off so they don’t know what you spend.” This likely refers to turning off notifications in the victim’s compromised Instacart account in order to delay drawing attention to any fraudulent charges.

The history of scam rap predates either of these songs. However, it led us to speculate whether the operator of treyshop[.]cc tapped these performers as part of an influencer marketing strategy around the time we believe the shop may have launched. Also, from a brand safety perspective, YouTube ran ads from respected brands ahead of videos for these and other scam rap songs. A 10-minute “Day in the Life of a Scammer” video included ads from large retailers throughout.

Incidentally, one of the posts shared by the Treyshop Updates Telegram channel purports to show the spoils of a scam made possible by Treyshop services and scrawled over the image is “treyshop bartholomew.” Bartholomew refers to scam rapper Babytron’s song “Work!” and the lyric “Got unc’ scammin’, his ID say Bartholomew.”

Screenshot of Treyshop[.]cc Telegram post soundtracked by Babytron "Work!".  

Screenshot of Treyshop[.]cc Telegram post of a video seemingly demonstrating a successful gift card scam and soundtracked by scam rapper Babytron’s song “Work!”.

 

How did Allure Security find Treyshop?

Allure Security uses AI to examine 10s-of-millions of webpages and the like each day. The engine flags the use and abuse of brands’ logos, trademarks, messaging, and more. The purpose of this assessment is to identify online brand impersonation and other scams targeting those brands and their patrons. We found Treyshop[.]cc as part of this work.

The treyshop[.]cc domain entered our engine’s queue for evaluation based on a DNS change. As part of our process, we’re continuously on the lookout for anything new on the internet. A domain name getting a new IP address can be a signal of “potential newness.” It’s admittedly a weak signal. It could be nothing or it could be a dormant or dead domain coming back online. So we want to check such events out.

Further examination of treyshop[.]cc empowered by computer vision and natural language processing revealed a match on a known pattern we’d identified in a recent rash of phishing kits targeting regional banks and credit unions, which consisted of the following:

  • A web page responding with a 403 Forbidden status code
  • A web page presenting a challenge using Cloudflare technology to stop automated visitors
  • A web page using a domain with the .cc TLD

With these indicators, the site met our alerting threshold which led to its discovery.

 

Diving Deeper into Treyshop[.]cc

On May 6, 2024, we counted a total of 188 fraud-as-a-service packages available for sale. In some cases, different products allow a buyer to engage in different types of fraud for the same brand (i.e., a product facilitating gift card fraud and another product facilitating more run-of-the-mill account takeover plus credit card fraud).

Product categories listed on Treyshop include:

  • Bulk
  • Cashout
  • Clothing
  • Designer clothing
  • Electronics
  • Fa (Full Access)
  • Flights
  • Food
  • Fuel
  • Games
  • Gift cards/Rewards
  • Groceries
  • Hot Products
  • Lifestyle
  • Movies
  • Otp Products
  • Shopping
  • Streaming
  • Tools
  • Travel
  • Trey Gift Cards (yes, gift cards to the fraud store)
The gallery below is a mere sample of the approximately 188 products listed by Treyshop.

Treyshop Marketing

A quick note on some of the tactics used by Treyshop to bring its fraudulent wares to market. Obviously, Treyshop is going direct-to-consumer via the e-commerce channel. Aside from the word-of-mouth, or possibly influencer marketing provided by scam rappers; as mentioned, Treyshop also makes use of a Telegram channel called Treyshop Updates.

That channel allows for public preview and below we share a number of screenshots of various posts from its feed. These posts consist of low inventory and restock announcements, pricing promotions, and sharing of photos and videos allegedly from satisfied customers.

Those photos and videos are typically:
  • Photos of products purported to have been purchased with compromised account information bought from Treyshop
  • Photos of direct mail envelopes from online payment services, which we assume contain debit cards with cash-out proceeds
  • Video tours of hotel rooms likely booked as a result of loyalty fraud
  • Mobile device screenshots of order confirmations, delivery notifications, rewards point balances

Treyshop also offers a referral marketing program. For example, TikTok accounts that post about the spoils of their Treyshop-enabled fraudulent activities will include Treyshop referral links in their bios.
The gallery below shows examples of inventory updates and Treyshop customer posts along with a TikTok profile that includes a Treyshop referral link.

Types of Fraud Enabled by Treyshop

The assortment of fraud-as-a-service products offered on the site enables customers to commit some combination of account takeover; cashout; gift card; loyalty, points, or rewards; mobile app, and payments fraud.

 

Account Takeover (ATO) Fraud

ATO fraud involves an adversary stealing a victim’s credentials in order to take control of that user’s account. Granted this is a rather broad category and nearly every other type of fraud listed here involves some form of ATO fraud. In this context the compromised accounts might be for a delivery app, buy now pay later (BNPL) service, rewards account, etc.

 

Cash-Out Fraud

In terms of the services Treyshop offers, cash-out products seem to assist in the transfer of a fraudster’s ill-gotten gains into currency they control – preferably laundering the money along the way. Cash-out might include printing stolen credit card numbers to cards that allow for ATM withdrawals.

The purpose of one Treyshop product for a mobile sports betting app seems to be solely for the purposes of money laundering. An account for the app with a balance between $0.10 and $10 sells for $1.50.

The directions then instruct you to:

  1. Log in
  2. Change the account’s email address
  3. Enable two-factor authentication (2FA) and set it up on a burner phone  
  4. Add a debit card and deposit $10 – we speculate the deposit can be whatever amount the buyer wants laundered though amounts above certain thresholds may draw the attention of anti-fraud systems 
  5. Wait the 90 minutes or so it takes to withdraw via debit card

Cash-out details are somewhat sparse and may have to do with not wanting brands to catch wind of their methods. For example, one cash-out product description states “Not giving full method so it doesn’t get burnt but it’s fairly self explanatory.”

 

Gift Card Fraud

Gift card fraud can refer to multiple schemes. One of the more well-known types these days is a scammer asking a victim to purchase gift cards for payment, but then the scammer runs away with the funds providing nothing in return. In another form, fraudsters may record the numbers from gift cards on display in a brick-and-mortar store. Once a consumer purchases and funds the gift card, the scammer will drain the balance.

From what we can tell, the gift card fraud products on Treyshop involve compromised gift cards or gift card accounts for particular brands that the scammer can use themselves to purchase goods.

 

Loyalty, Rewards, or Points Fraud

Loyalty fraud, also known as rewards or points fraud, consists of the abuse of a brand’s loyalty programs to make use of any associated rewards themselves. Sometimes such fraud takes an internal form where a brand’s employees abuse the program because they have insider knowledge or make unauthorized use of a customer’s rewards. In some cases, a rewards member will discover a loophole in the system that they abuse.

Treyshop products related to loyalty fraud, however, mostly involve the fraudster compromising a loyalty member’s account and using those rewards for themselves. As the Loyalty Security Association explains, “Stolen points are as good as cash if those rewards can be redeemed for hotel stays, airline tickets, or other high value items.” The LSA goes on to explain that because rewards points aren’t literally monetary, less scrutiny is applied to loyalty programs making them fertile ground for fraud.

 

Mobile App Fraud

Mobile app fraud is essentially fraud involving the use of a mobile app on a mobile device.  For example, The Financial Brand reports that more than half of fraudulent banking transactions originated via a mobile device in 2023.

Many Treyshop product descriptions instruct potential buyers that they need to log-in to the targeted brand’s mobile app to successfully execute their crime. This is another broad category that overlaps with others discussed in this article. For more details on specific types, see our article on mobile app fraud.

 

Payments Fraud

This type of fraud involves the use of stolen payment account information or compromised payment accounts to steal money or make purchases. Almost every single product sold by Treyshop combines payments fraud with account takeover fraud. Various products include compromised credit cards, debit cards, and online payments accounts.

One product includes stolen EBT cards, which strikes us as especially despicable. EBT stands for Electronic Benefits Transfer, which allows Supplemental Nutrition Assistance Program (SNAP) participants to pay for food using their EBT card. Treyshop is enabling the victimization of low-income families that depend on their SNAP benefits in order to eat.

 

Some Brands Targeted with Multiple Types of Fraud

An example of one brand and its customers being targeted with different types of fraud is a coffee retailer. Associated scams include at least two different types: one labeled “GC” offered stolen gift card accounts/balances for sale and another labeled “CC” for credit card fraud.

Below is more detail on each scam quoting from the product descriptions with some redaction and punctuation changes for readability:

  • [Coffee Retailer] Gift Cards WITHOUT PIN
    • Use Stocard app to hit
    • Warranty for missing/invalid balance (Must show receipt proof)
    • Available Options [the dollar ranges are likely balances]
      • Gift card $5-$10 – price: $1.5
      • Gift card $30-$40 – price: $9
      • Gift card $10-$20 – price: $3
      • Gift card $20-$30 – price: $6.5
      • Gift card $100-$150 – price: $36
      • Gift card $60-$70 – price: $18
      • Gift card $40-$50 – price: $12
      • Gift card $150-$200 – price: $52
      • Gift card $200-$250 – price: $70
      • Gift card $450-$500 – price: $150
  • [Coffee Retailer] + CC/PayPal
    • Easy to hit
    • Use clean IP when logging in
    • Warranty for invalid login / missing payment method only
    • Method:
      • 1. Try to login on web if it lets you it lets you
      • 2. If web doesn’t work use CLEAN IP or LTE on your phone
      • DO NOT USE THE APP TO LOGIN LOGIN WILL FAIL
    • Available Options [10X and 50X are likely volume discounts]
      • American Express/Discover – price: $3
      • Visa/Mastercard – price: $2
      • PayPal – price: $4
      • Visa/Mastercard 10X – price $1.5
      • American Express/Discover 10X – price: $2
      • Venmo – price $6
      • Visa/Mastercard 50X – price: $1
      • Paypal 50X – price: $3

What To Do About Fraud-as-a-Service Storefronts Like Treyshop

If you weren’t previously aware of fraud-as-a-service providers or their storefronts, Treyshop[.]cc’s existence and continued operation is probably gobsmacking. It’s somewhat difficult to understand how so many service providers (e.g., the registrar, Cloudflare, Telegram, TikTok, Google, YouTube) can remain ignorant to or allow such activity to continue. But alas, there it is.

It proves something we’ve believed for a long time at Allure Security. No internet service provider, social media platform, etc. cares as much about the preservation of your brand’s reputation as you do. If you want to protect your brand and customers online, in the end, it’s up to you.

To combat such threats, you need a way to identify them as close to their origination point as possible. Explore whether your brand is targeted in a F-a-a-S scheme on a regular basis. To do that, you need to continually monitor the surface, deep, and dark web for content indicating your brand is a fraud target. If you find such fraud services and guides targeting your brand, work to quickly to take down related sites or content. 

In the case of gift card or rewards fraud you should connect with law enforcement. In addition, compare the costs of purchasing stolen gift cards or accounts with the costs of funds stolen, inventory loss, fraud response, and making victims whole. In many cases, purchasing the stolen account is the less costly option. You can take action by informing the victims of the compromise and give them instructions for creating a new account and recouping their losses.

If you don’t have the staff, resources, tools, and expertise to maintain constant vigilance across the near infinite internet for such abuse of your brand online – it’s time to talk to Allure Security.

Request a demo today:
Post Date
Author

Fraud-as-a-Service Storefront Treyshop Exposed

Fraud-as-a-Service Storefront Treyshop Exposed