Researchers from Group-IB have revealed details of a large-scale fraud campaign targeting users in the Middle East and North Africa (MENA). The attackers use fake Facebook accounts impersonating politicians, public figures, and trusted organizations to lure victims with promises of free mobile internet, financial compensation, and government subsidies. Instead of the promised benefits, users are drawn into a multi-stage redirection funnel that leads to phishing infrastructure and traffic monetization systems. According to the researchers, the campaign is linked to the Sniper Dz platform — a “phishing-as-a-service” (PhaaS) offering that was reportedly dismantled during an INTERPOL-led operation.
Multi-stage funnel: from social engineering to monetization
A distinctive feature of this campaign is the abandonment of traditional malware in favor of abusing legitimate web technologies and trusted platforms. A typical attack chain is structured as follows:
Initial vector: localized lures
According to the researchers, the scammers create fake Facebook accounts that impersonate well-known telecommunications providers — in particular, Algérie Télécom — and promote bogus promotions. Localization is the key element: the lures are tailored to specific regions and mobile operators, which increases the level of trust among potential victims.
Intermediate layer: legitimate link aggregators
Instead of redirecting users directly to malicious domains, the campaign employs an intermediate layer — link aggregation platforms such as Linkbio and Linktree. On these services, decoy landing pages are created that appear harmless and do not raise suspicion among social network moderation systems. This is a critically important tactical choice: using trusted domains makes it possible to bypass both platform automation filters and user vigilance.
Browser hijacking: push notifications and VAPID
The final page asks the user for permission to send browser notifications — the standard dialog “Click Allow to continue.” Behind this is the browser’s subscription to a push notification system using a public VAPID (Voluntary Application Server Identification) key.
The researchers found that the same VAPID key appears both in campaigns impersonating Algerian telecommunications providers and in investment scams targeting users in several regions. Since VAPID keys identify the service responsible for delivering push messages, their reuse indicates a shared notification infrastructure rather than independent operations. This is a valuable indicator for tracking links between campaigns that may appear unrelated on the surface.
Keeping the victim trapped: navigation interception
The campaign uses several techniques to keep the user within the fraudulent ecosystem:
- Back button interception — the page injects 10 fake entries into the browser history, creating a so‑called “back button jail.” When the user tries to go back, they are repeatedly taken to pages with ads or fraudulent content.
- “Tab-under” technique — when the user clicks a link that opens a new tab, a delayed script silently redirects the original tab to another resource controlled by the operators. The victim believes they have left the fraudulent page, but the original tab continues to generate traffic for the monetization infrastructure.
The combination of these techniques makes it significantly harder for users to exit the fraud funnel without force-closing all tabs.
Monetization via traffic distribution system
After subscribing to notifications, victims are, according to Group-IB, directed to a traffic distribution system (TDS), which determines the specific fraud scenario based on device type, geolocation, and mobile operator. The identified monetization paths include:
- Scams involving premium-rate phone calls
- Subscriptions to premium SMS services without the user’s explicit consent
- Investment fraud schemes
This broadens the understanding of what the Sniper Dz platform can do: in addition to classic credential theft phishing, it presumably provides a full-fledged infrastructure for multiple monetization schemes.
Threat context
The Sniper Dz platform is positioned as an out-of-the-box “phishing-as-a-service” solution that lowers the barrier to entry for fraudsters. It has been reported that the platform was taken down during an INTERPOL-led operation, but no primary confirmation from INTERPOL itself is provided in the publicly available materials. It should be noted that the attribution of the campaign to Sniper Dz is based on the analysis of a single research center.
The fundamental takeaway from this research is a shift in focus of modern fraud operations away from malware distribution toward the abuse of legitimate web technologies: push notifications, the browser history API, and trusted link aggregation platforms. This creates a serious challenge for traditional security tools that are geared toward detecting malicious files and known phishing domains.
Protection recommendations
- For end users: review and revoke push notification permissions in your browser settings (Chrome:
chrome://settings/content/notifications, Firefox:about:preferences#privacy→ “Notifications” section). Remove all subscriptions from unfamiliar sites. - For organizations in the MENA region: inform employees and customers about scams involving fake accounts impersonating the company’s brand. Set up monitoring for brand mentions on social networks to enable early detection of fake pages.
- For security teams: track VAPID keys as an indicator of infrastructure links between campaigns. Block redirects through known link aggregation services at the proxy or DNS level if they are not used in business processes.
- For telecom operators: implement mechanisms to detect subscriptions to premium SMS and premium-rate calls initiated without the subscriber’s explicit confirmation, and ensure the ability to promptly block such services.
This campaign demonstrates that effective protection against modern fraud requires control not only at the endpoint level, but also at the level of browser permissions and web navigation behavior patterns. The first concrete step is to audit push notification permissions on all corporate and personal devices and disable subscriptions from unknown sources, and for organizations in the MENA region — to immediately check for fake Facebook pages abusing their brand.
