Sniper Dz PhaaS Campaign Targets MENA Users with Fake Facebook Offers and Browser Notification Abuse
A phishing-as-a-service campaign dubbed 'Sniper Dz' is targeting users across the Middle East and North Africa via fake Facebook accounts and browser notification traps, Group-IB reports.
Cybersecurity researchers at Group-IB have uncovered a widespread scam campaign dubbed 'Sniper Dz' that is actively targeting users across the Middle East and North Africa (MENA). The operation relies on fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations to promote fake offers such as free mobile internet packages, financial compensation, and government subsidy programs.
According to Group-IB analysts Anna Yurtaeva and Viacheslav Shevchenko, victims are lured into clicking embedded links that promise the advertised benefits. Instead, they are redirected through a chain of intermediary websites that ultimately lead to phishing pages and traffic monetization infrastructure. The campaign is linked to the Sniper Dz turnkey phishing-as-a-service (PhaaS) platform, which was taken down last month in an INTERPOL-led operation.
The attack chain begins with localized social engineering lures, often impersonating well-known telecom providers such as Algérie Télécom. Rather than directing victims straight to a malicious website, the campaign first routes users through trusted link-aggregation platforms like Linkbio and Linktree. Attackers create decoy landing pages on these services, adding a layer of legitimacy before the final malicious destination.
Once users reach the final page, they are prompted to click "Allow" to obtain browser notification permissions. Behind the scenes, code embedded in the page subscribes the browser to a push notification system using a Voluntary Application Server Identification (VAPID) public key. Group-IB noted that the same VAPID key has been observed across multiple campaigns, suggesting a shared push-notification ecosystem operated by the same threat actors.
The attack also employs aggressive browser manipulation techniques. The page engages in back-button hijacking by injecting 10 fake history states, trapping users in a "back-button prison" that forces them to remain within attacker-controlled content. Additionally, a tab-under technique silently redirects the original browser tab to another malicious destination when users interact with certain links, making it difficult for victims to escape the scam ecosystem.
Once users are enrolled into the notification infrastructure, the attacks progress to the monetization phase. A traffic distribution system (TDS) routes victims to different scams based on device type, location, and mobile carrier. Potential pathways include premium-rate call scams, premium SMS subscription fraud, and investment scams. Group-IB emphasized that this campaign demonstrates how modern fraud operations increasingly rely on abusing legitimate web technologies rather than traditional malware.
The Sniper Dz campaign highlights the growing sophistication of social engineering attacks that exploit trusted platforms and browser features. By combining fake social media profiles, link-aggregation services, browser notification abuse, and history manipulation, the operators have created a multi-layered monetization funnel that is difficult for users to escape. The takedown of the Sniper Dz platform by INTERPOL may disrupt this specific operation, but the techniques used are likely to be adopted by other threat actors.