Cybersecurity researchers have disclosed details of fraudulent activity targeting users across the Middle East and North Africa by employing various fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations.
“These accounts promoted fake offers, including free mobile internet packages, financial compensation, and government subsidy programs,” Group-IB analysts Anna Yurtaeva and Viacheslav Shevchenko said.
“Victims were encouraged to click embedded links to claim the advertised benefits, but were instead redirected through a chain of intermediary websites that ultimately led to phishing and traffic monetization infrastructure.”
The Singapore-headquartered cybersecurity company has these campaigns to Sniper Dz, a turnkey phishing-as-a-service (PhaaS) platform that was taken down last month in an INTERPOL-led operation. The findings indicate that the platform goes beyond facilitating credential theft, generating illicit revenue via browser notification abuse, premium SMS subscriptions, premium-rate calls, and investment scams.
A “typical Sniper Dz scam victim funnel” begins with localized social engineering lures, with the scammers impersonating well-known telecom providers such as Algérie Télécom to promote fake offers, to direct users to domains hosted on Link in bio services that act as an intermediary layer between the social media post and the final destination.
“Rather than directing victims straight to a malicious website, the campaign first routes users through trusted link-aggregation platforms such as Linkbio and Linktree,” Group-IB researchers said. “The attackers create decoy landing pages on domains operated by these services.”
The attack ends with directing victims to a page that obtains browser notification permissions by prompting users to click “Allow” to continue. Behind the scenes, code embedded in the web page subscribes the web browser to a push notification system using a Voluntary Application Server Identification (VAPID) public key.
Group-IB said the same VAPID key has been observed across campaigns masquerading as telecommunications providers in Algeria and investment-related scams targeting users in multiple regions.
“Because VAPID public keys are used to identify the notification service responsible for delivering push messages, their reuse can provide valuable insight into underlying infrastructure relationships,” the company said. “The consistent appearance of the same key across otherwise distinct campaigns suggests that the operators are relying on a shared push-notification ecosystem rather than independent infrastructure.”
Furthermore, the page engages in back button hijacking by injecting 10 fake history states, tricking users into visiting sites that may serve unsolicited ads, or trapping them in a “back-button prison” and within attacker-controlled content to inflate ad impressions, promote scams, or deliver malicious content.
“The page also implements a tab-under technique that activates when users interact with certain links,” the cybersecurity company noted. If a link opens a new browser tab, a delayed script silently redirects the original tab to another destination controlled by the operators.
“This allows the campaign to continue driving traffic through its redirection and monetization infrastructure even after the victim believes they have left the site. By combining browser notification abuse with history manipulation and tab-under redirections, the operators make it significantly more difficult for users to escape the scam ecosystem.”
Once users are enrolled into the notification infrastructure, the attacks progress to the monetization phase, routing the victims to a traffic distribution system (TDS) that determines which scam to present based on factors like device type, location, and mobile carrier. Potential pathways include premium-rate call scams, premium SMS subscription fraud, and investment scams.
“This campaign demonstrates how modern fraud operations increasingly rely on the abuse of legitimate web technologies rather than traditional malware,” Group-IB said. “Instead of infecting devices, the operators exploit trusted platforms, browser features, and social engineering techniques to guide victims through a carefully designed monetization funnel.”
