Allure Security has found Treyshop[.]cc, a fraud-as-a-service operation’s e-commerce storefront on the internet. While the fraud-as-a-service business model has been around for ages, what’s novel, in this case, is the adversary’s brazenness (or negligence) in openly hawking stolen PII, step-by-step fraud instructions, account credentials, and payment card information.
The fraudster also makes a Telegram channel publicly available via preview that provides inventory updates, announces pricing promotions, and shares alleged customers’ photos and videos showing the spoils of buying and using the shop’s products.
What is Fraud as a Service?
Fraud-as-a-service offerings include some combination of products and services, such as tools, data, and guidance that facilitate the execution of fraud by others. The “as-a-service” suffix means that the purchasers of this service need not be fraud experts to defraud others. In many cases, without such operations’ services, many of their customers would likely not have the knowledge or tools needed to pull off a scam successfully.
Fraud-as-a-service providers lower the entry barrier for fraudsters, making it possible for fraudsters to commit more fraud. Such services contribute to or exacerbate increasing fraud rates. In its Internet Crime Complaint Center (IC3) Annual Report, the FBI reported a 10% increase in fraud complaints and a 22% increase in fraud losses in 2023 compared to 2022.
Bad Actors
How is Treyshop Supporting Fraudsters?
Treyshop is an e-commerce storefront used by a fraud-as-a-service operation to distribute stolen data and fraud guides and tools to other fraudsters.
These scam advertisements often use techniques to add to their believability including using similar messaging, presenting enticing offers, and sometimes using URLs similar to the real brand’s. These can be combined to create a deceptively realistic scam.
These scam advertisements often use techniques to add to their believability including using similar messaging, presenting enticing offers, and sometimes using URLs similar to the real brand’s. These can be combined to create a deceptively realistic scam.
While this problem is not new, it’s plagued Bing for a couple of years now, some new variations are rearing their head. The problem doesn’t stop with default search. Recently, Bing’s AI chatbot had been observed displaying fraudulent advertisements alongside responses to users’ prompts.
Treyshop dot cc gonna make your pockets fatter...Turn noties [sic] off so they don’t know what you spend.
What is Scam Rap?
A subgenre of hip-hop called scam rap takes its name based on song lyrics, including tutorials for committing fraud. One song released around the time we suspect Treyshop[.]cc went live at the end of August 2023 was “Treyshop Put Me On.” The performer wastes no time starting the song with “I just caught two Windstreams off of Treyshop.” Windstream is a telecommunications provider headquartered in Arkansas and “catching two” could mean taking over two email accounts and/or mobile phone service accounts.
Digging Deeper into Treyshop[.]cc
On May 6, 2024, Allure Security counted a total of 188 fraud-as-a-service packages available for sale. In some cases, different products allow a buyer to engage in different types of fraud for the same brand (i.e., a product facilitating gift card fraud and another product facilitating more run-of-the-mill account takeover plus credit card fraud).
Product categories listed on Treyshop include:
•Bulk
•Cashout
•Clothing
•Designer clothing
•Electronics
•Fa (Full Access)
•Flights
•Food
•Fuel
•Games
•Gift cards/Rewards
•Groceries
•Hot Products
•Lifestyle
•Movies
•Otp Products
•Shopping
•Streaming
•Tools
•Travel
•Trey Gift Cards (yes, gift cards to the fraud store)
Gallery of Treyshop Fraud as a Service Product Listings
[Select an image to expand] The gallery below is a mere sample of the approximately 188 products listed by Treyshop.
Treyshop Marketing
Treyshop is going direct-to-consumer via the e-commerce channel. In addition to the word-of-mouth or possibly influencer marketing provided by scam rappers, Treyshop also uses a Telegram channel called Treyshop Updates. Treyshop also offers a referral marketing program. For example, TikTok accounts that post about the spoils of their Treyshop-enabled fraudulent activities will include Treyshop referral links in their bios.
Examples highlighted in the photos:
•Direct mail envelopes from online payment services, which we assume contain debit cards with cash-out proceeds
•Video tours of hotel rooms likely booked as a result of loyalty fraud
•Mobile device screenshots of order confirmations, delivery notifications, rewards point balances
[Select an image to expand] Photos of products purported to have been purchased with compromised account information bought from Treyshop
Types of Fraud Enabled by Treyshop
The assortment of fraud-as-a-service products offered on the site enables customers to commit some combination of account takeover; cashout; gift card; loyalty, points, or rewards; mobile app, and payments fraud.
ATO fraud involves an adversary stealing a victim’s credentials in order to take control of that user’s account. Granted this is a rather broad category and nearly every other type of fraud listed here involves some form of ATO fraud. In this context the compromised accounts might be for a delivery app, buy now pay later (BNPL) service, rewards account, etc.
- In terms of the services Treyshop offers, cash-out products seem to assist in transferring a fraudster’s ill-gotten gains into currency they control—preferably laundering the money along the way. Cash-out might include printing stolen credit card numbers on cards and allowing ATM withdrawal.
- The purpose of one Treyshop product for a mobile sports betting app is solely for money laundering. An account for the app with a balance between $0.10 and $10 sells for $1.50.
The directions then instruct you to log in:
Change the account’s email address
- Enable two-factor authentication (2FA) and set it up on a burner phone
- Add a debit card and deposit $10 – we speculate the deposit can be whatever amount the buyer wants laundered, though amounts above certain thresholds may draw the attention of anti-fraud systems
- Wait the 90 minutes or so it takes to withdraw via debit card. Cash-out details are somewhat sparse, and this may be because the company does not want brands to catch wind of its methods. For example, one cash-out product description states, “Not giving full method so it doesn’t get burnt, but it’s fairly self-explanatory.”
- Gift card fraud can refer to multiple schemes. One of the more well-known types these days is a scammer asking a victim to purchase gift cards for payment, but then the scammer runs away with the funds providing nothing in return. In another form, fraudsters may record the numbers from gift cards on display in a brick-and-mortar store. Once a consumer purchases and funds the gift card, the scammer will drain the balance.
- From what we can tell, the gift card fraud products on Treyshop involve compromised gift cards or gift card accounts for particular brands that the scammer can use themselves to purchase goods.
- Loyalty fraud, also known as rewards or points fraud, consists of the abuse of a brand’s loyalty programs to make use of any associated rewards themselves. Sometimes such fraud takes an internal form where a brand’s employees abuse the program because they have insider knowledge or make unauthorized use of a customer’s rewards. In some cases, a rewards member will discover a loophole in the system that they abuse.
- Treyshop products related to loyalty fraud, however, mostly involve the fraudster compromising a loyalty member’s account and using those rewards for themselves. As the Loyalty Security Association explains, “Stolen points are as good as cash if those rewards can be redeemed for hotel stays, airline tickets, or other high value items.” The LSA goes on to explain that because rewards points aren’t literally monetary, less scrutiny is applied to loyalty programs making them fertile ground for fraud.
- Mobile app fraud is essentially fraud involving the use of a mobile app on a mobile device. For example, The Financial Brand reports that more than half of fraudulent banking transactions originated via a mobile device in 2023.
- Many Treyshop product descriptions instruct potential buyers that they need to log-in to the targeted brand’s mobile app to successfully execute their crime. This is another broad category that overlaps with others discussed in this article. For more details on specific types, see our article on mobile app fraud.
- This type of fraud involves the use of stolen payment account information or compromised payment accounts to steal money or make purchases. Almost every single product sold by Treyshop combines payments fraud with account takeover fraud. Various products include compromised credit cards, debit cards, and online payments accounts.
- One product includes stolen EBT cards, which strikes us as especially despicable. EBT stands for Electronic Benefits Transfer, which allows Supplemental Nutrition Assistance Program (SNAP) participants to pay for food using their EBT card. Treyshop is enabling the victimization of low-income families that depend on their SNAP benefits in order to eat.
Some Brands Targeted with Multiple Types of Fraud
An example of one brand and its customers being targeted with different types of fraud is a coffee retailer. Associated scams include at least two different types: one labeled “GC” offered stolen gift card accounts/balances for sale and another labeled “CC” for credit card fraud.
Below is more detail on each scam quoting from the product descriptions with some redaction and punctuation changes for readability:
- Use Stocard app to hit
- Warranty for missing/invalid balance (Must show receipt proof)
- Available Options [the dollar ranges are likely balances]
- Gift card $5-$10 – price: $1.5
- Gift card $30-$40 – price: $9
- Gift card $10-$20 – price: $3
- Gift card $20-$30 – price: $6.5
- Gift card $100-$150 – price: $36
- Gift card $60-$70 – price: $18
- Gift card $40-$50 – price: $12
- Gift card $150-$200 – price: $52
- Gift card $200-$250 – price: $70
- Gift card $450-$500 – price: $150
- Easy to hit
- Use clean IP when logging in
- Warranty for invalid login / missing payment method only
- Method:
- 1. Try to login on web if it lets you it lets you
- 2. If web doesn’t work use CLEAN IP or LTE on your phone
- DO NOT USE THE APP TO LOGIN LOGIN WILL FAIL
- Available Options [10X and 50X are likely volume discounts]
- American Express/Discover – price: $3
- Visa/Mastercard – price: $2
- PayPal – price: $4
- Visa/Mastercard 10X – price $1.5
- American Express/Discover 10X – price: $2
- Venmo – price $6
- Visa/Mastercard 50X – price: $1
- Paypal 50X – price: $3
tips
What To Do About Fraud-As-A Service Storefronts Like Treyshop
If you weren’t previously aware of fraud-as-a-service providers or their storefronts, Treyshop[.]cc’s existence and continued operation is probably gobsmacking. It’s somewhat difficult to understand how so many service providers (e.g., the registrar, Cloudflare, Telegram, TikTok, Google, YouTube) can remain ignorant to or allow such activity to continue. But alas, there it is.
It proves something we’ve believed for a long time at Allure Security. No internet service provider, social media platform, etc. cares as much about the preservation of your brand’s reputation as you do. If you want to protect your brand and customers online, in the end, it’s up to you.
How to Combat Threats
To combat such threats, you need a way to identify them as close to their origination point as possible. Explore whether your brand is targeted in a F-a-a-S scheme on a regular basis. To do that, you need to continually monitor the surface, deep, and dark web for content indicating your brand is a fraud target. If you find such fraud services and guides targeting your brand, work to quickly to take down related sites or content.
In the case of gift card or rewards fraud you should connect with law enforcement. Compare the costs of purchasing stolen gift cards or accounts with the costs of funds stolen, inventory loss, fraud response, and making victims whole. Often, purchasing the stolen account is the less costly option. You can take action by informing the victims of the compromise and give them instructions for creating a new account and recouping their losses.
Related Articles
-
SharkBot Mobile Banking Trojan Embedded in Banking AppIn a recent mobile malware scan for one of our partners, Allure Security...
-
How to Handle Parked DomainsWhat is a Parked Domain? Many brands are unsure about parked domains with...
-
Fighting Search Engine Phishing: Malvertising and Bing AdsSearch Engine Advertising Risks When consumers search the internet, brands want to be...
-
Webinar: IT Leaders on Online Impersonation FraudSecurity against the Rising Threat of Impersonation Scams Cybersecurity remains a back-and-forth contest...
-
Fraudsters Abuse Dynamic DNS Subdomains For PhishingAllure Security has noted an increase in scammers utilizing dynamic DNS (DDNS) services....
-
Damn Filters Recovers from Poisoned Search Engine ResultsPoisoned Search Engine Results Damn Filters, a leading company in Kansas, sells online...