Sniper Dz Scams Target MENA Users with Fake Facebook Offers and Browser Notifications
Cybersecurity researchers have uncovered details of fraudulent activities targeting users across the Middle East and North Africa using various fake Facebook accounts impersonating politicians, public figures, and trusted organizations.
“These accounts promote fake promises, including mobile internet packages, financial compensation, and government subsidy programs,” said Group-IB analysts Anna Yurtaeva and Viacheslav Shevchenko.
“Victims were encouraged to click on embedded links to claim advertised benefits, but instead were redirected through a series of participating websites that ultimately led to phishing and traffic monetization infrastructure.”
The Singapore-headquartered cybersecurity company has these moves to Sniper Dz, a turnkey phishing-as-a-service (PhaaS) platform that was taken down last month in an operation led by INTERPOL. The findings show that the platform goes beyond facilitating identity theft, generating illegal income through browser notification abuse, premium SMS subscriptions, premium rate calls, and investment scams.
“Common furniture for the victims of the Sniper Dz scam” starts with local social engineering traps, fraudsters pretending to be well-known telecommunications providers such as Algérie Télécom to promote fake offers, directing users to domains hosted on Link to bio services that act as an intermediate layer between social media posts and the destination.
“Instead of directing victims directly to malicious websites, the campaign first directs users through trusted link aggregation platforms such as Linkbio and Linktree,” said Group-IB researchers. “Attackers create fake landing pages on domains used by these services.”
The attack ends by directing victims to a browser notification permissions page prompting users to click “Allow” to continue. Behind the scenes, code embedded in a web page registers the web browser with the application notification system using a Voluntary Application Server Identification (VAPID) public key.
Group-IB said the same VAPID key was seen in all campaigns targeting telecommunications providers in Algeria and investment-related scams targeting users in many regions.
“Because VAPID public keys are used to identify the notification service responsible for delivering push messages, their reuse can provide valuable insight into underlying infrastructure relationships,” the company said. “The consistent appearance of the same key across different campaigns suggests that operators are relying on a shared push information ecosystem rather than an independent infrastructure.”
In addition, this page engages in stealing the back button by injecting 10 regions of fake history, tricking users into visiting sites that may serve unsolicited ads, or imprisoning them in “back button jail” and inside content controlled by the attacker to flood with ad impressions, promote scams, or deliver malicious content.
“The page also uses a tab-under mechanism that activates when users interact with certain links,” the cybersecurity firm noted. When a link opens a new browser tab, a delayed script silently redirects the original tab to another operator-controlled location.
“This allows the campaign to continue to drive traffic through its redirect infrastructure and monetize even after the victim believes they have left the site. By combining browser notification abuse with history manipulation and tab redirection, operators make it even more difficult for users to escape the scam ecosystem.”
Once users have subscribed to the notification infrastructure, the attack moves on to the monetization phase, sending victims to a traffic distribution system (TDS) that determines which scam to launch based on factors such as device type, location, and mobile carrier. Possible methods include premium rate call scams, premium SMS subscription scams, and investment scams.
“This campaign shows how much modern fraud relies on the misuse of legitimate web technologies rather than conventional malware,” Group-IB said. “Instead of infecting tools, operators use trusted platforms, browser features, and social engineering techniques to guide victims through a carefully crafted monetization funnel.”
