Sniper Dz PhaaS Platform Targets MENA Users with Fake Facebook Lures

Cybersecurity researchers at Group-IB have exposed a sprawling social engineering campaign operated through Sniper Dz, a turnkey phishing-as-a-service (PhaaS) platform dismantled last month in an INTERPOL-led operation. Analysts Anna Yurtaeva and Viacheslav Shevchenko linked dozens of fraudulent Facebook accounts to the scheme, revealing that operators impersonated politicians, public figures, telecom providers such as Algérie Télécom, and trusted government institutions. The accounts pushed localized lures promising free mobile internet bundles, financial compensation, and government subsidy programs, drawing victims across the Middle East and North Africa into a multi-stage fraud funnel.

The attack chain avoids direct links to malicious infrastructure. Instead, posts route victims through trusted link-aggregation services including Linkbio and Linktree, where attackers host decoy landing pages that lend an air of legitimacy. From there, users are funneled to a final page that prompts them to click "Allow" to enable browser notifications, a step that silently subscribes the browser to a push notification system using a shared Voluntary Application Server Identification (VAPID) public key. Group-IB noted the same VAPID key appeared across campaigns targeting Algerian telecom subscribers and broader investment-themed scams, suggesting operators rely on a single shared push-notification backbone rather than isolated infrastructure. Reused infrastructure like this is a common pivot point for investigators, and a quick WHOIS lookup on related domains can often surface connected registrations.

Once notification permissions are granted, the page escalates the attack by injecting ten fake history states to hijack the back button, trapping victims in a loop of attacker-controlled sites designed to inflate ad impressions, push premium-rate scams, and monetize traffic. Sniper Dz operators generate revenue through multiple channels beyond credential theft, including browser notification abuse, premium SMS subscriptions, premium-rate phone calls, and investment fraud. Users who notice unexplained permission grants or suspicious redirects on their devices should run a browser fingerprint test to audit active surface identifiers and a privacy checkup to revoke rogue notification subscriptions and tighten browser exposure.