Sniper Dz Scams Exploit MENA Users with Fraudulent Facebook Offers and Browser Notifications

Recent investigations have unveiled a sophisticated fraudulent scheme targeting users in the Middle East and North Africa (MENA). Cybersecurity researchers have identified a network of fake Facebook accounts impersonating politicians, public figures, and reputable organizations to lure victims into scams. This alarming trend highlights the evolving tactics employed by cybercriminals to exploit unsuspecting individuals.

The Mechanics of the Scam

According to analysts from Group-IB, these fraudulent accounts promoted enticing offers such as free mobile internet packages, financial compensation, and government subsidy programs. Victims were encouraged to click on embedded links to claim these benefits. However, instead of receiving the promised rewards, they were redirected through a series of intermediary websites that ultimately led to phishing schemes and traffic monetization infrastructure.

This operation is linked to Sniper Dz, a phishing-as-a-service (PhaaS) platform that was dismantled in a recent INTERPOL-led operation. The platform not only facilitated credential theft but also generated illicit revenue through browser notification abuse, premium SMS subscriptions, and investment scams.

Social Engineering Tactics

The typical victim funnel employed by Sniper Dz begins with localized social engineering tactics. Scammers impersonate well-known telecom providers, such as Algérie Télécom, to promote fake offers. This strategy directs users to domains hosted on link-aggregation services, which serve as intermediaries between the social media posts and the final malicious destinations.

Rather than directing users straight to harmful websites, the campaign first routes them through trusted platforms like Linkbio and Linktree. Group-IB researchers noted that attackers create decoy landing pages on these domains, making the scams appear more legitimate.

Browser Notification Abuse

The final stage of the attack involves tricking victims into granting browser notification permissions. Users are prompted to click “Allow” to continue, which subscribes their web browsers to a push notification system using a Voluntary Application Server Identification (VAPID) public key. This technique allows attackers to send unsolicited notifications and further entrap users in the scam ecosystem.

Group-IB has observed the same VAPID key being reused across various campaigns masquerading as telecommunications providers and investment-related scams. This reuse indicates a shared push-notification ecosystem, suggesting that the operators are leveraging interconnected infrastructures rather than independent systems.

Advanced Manipulation Techniques

The fraudulent pages employ several advanced techniques to manipulate user behavior. One such tactic is back button hijacking, where the page injects multiple fake history states. This strategy tricks users into visiting other sites that may serve unsolicited ads or trap them in a “back-button prison,” inflating ad impressions and promoting scams.

Additionally, the pages implement a tab-under technique. When users interact with specific links, a delayed script silently redirects the original tab to another destination controlled by the scammers. This approach allows the campaign to continue driving traffic through its redirection and monetization infrastructure, even after victims believe they have left the site.

Monetization and Targeting

Once users are integrated into the notification infrastructure, the attacks progress to the monetization phase. Victims are routed to a traffic distribution system (TDS) that determines which scams to present based on various factors, including device type, location, and mobile carrier. Potential scams include premium-rate call fraud, premium SMS subscription scams, and investment schemes.

This campaign underscores a significant shift in modern fraud operations, which increasingly rely on the exploitation of legitimate web technologies rather than traditional malware. Instead of infecting devices, operators exploit trusted platforms, browser features, and social engineering techniques to guide victims through a meticulously designed monetization funnel.

The implications of these findings are profound, as they reveal the intricate methods employed by cybercriminals to exploit vulnerabilities in user behavior and trusted systems. As these tactics become more sophisticated, the need for heightened awareness and robust cybersecurity measures becomes increasingly critical.

For further insights into the evolving landscape of cyber threats, including the recent dismantling of Sniper Dz, refer to the original reporting source: thehackernews.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.