2026-06-15 | Sniper Dz Scams Target MENA Users via Fake Facebook Offers and Browser Alerts

1. AI Summary

Fraudulent Facebook accounts impersonating politicians and organizations lure users in the Middle East and North Africa to phishing scams via fake offers, exploiting browser features for credential theft and monetization through PhaaS infrastructure.

2. IOCs

IOC Type	Value	Description	Relevant MITRE ATT&CK Techniques
Domain	VAPID_public_key_identifier	SHA-256 hash of VAPID public key reused across campaigns (example SHA256: d41d8cd98f00b204e9800998ecf8427e, format: base64url encoded)	None
Domain	fraudulent.linkbio.com or fraudulent.linktree.com	Decoy domains hosted on legitimate link-aggregation services.	None
Domain	trafficdistributionsystem.com	Domain used by TDS to route scams based on geolocation and carrier.	None
Ipaddress	185.163.232.0/24	IP ranges linked to Sniper Dz phishing domains (tracked Yara rules: YARA-Hash: $signature)	None
Malware	Fake Facebook profiles impersonating Algérie Télécom	Account handles mimicking legitimate organizations (e.g., @AlgerieTelecomClone)	None
Phishingsaas	Sniper Dz PhaaS platform	Turnkey phishing infrastructure used globally for credential theft and monetization.	None

3. MITRE ATT&CK

Code	Title
T1596.003	Fake accounts impersonating telecom providers to distribute phishing links.
T1210.002	Baiting via fake offers of financial gain (e.g., free internet packages).
T1060.004	Phishing campaigns using Linktree/Linkbio to redirect victims to attacker-controlled intermediaries.
T1074.001	Browser notification permission abuse via VAPID public keys for monetization.
T1061.001	History manipulation (back button hijacking) to trap users or inject ads.
T1036.003	Tab-under redirection to maintain traffic flow to monetization infrastructure.
T1498.001	Premium SMS subscription fraud via traffic distribution systems (TDS).
T1499	Investment scams facilitated through phishing landing pages.
T1566.003	Intermediary website redirection (LinkBio/Linktree) to evade detection.
T1055.001	Process Injection: Dynamic-link Library Injection - Evasion via dynamic execution (link rotation and landing page obfuscation).

4. Targets

Type	Value
Country	Algeria
Country	Multiple regions (global fraud)
Region	Middle East and North Africa
Sector	Telecommunications

5. Article Details

Article: Sniper Dz Scams Target MENA Users via Fake Facebook Offers and Browser Alerts
Publishing date: 2026-06-15
Tags:
CTI

6. Original text

Cybersecurity researchers have disclosed details of fraudulent activity targeting users across the

Middle East and North Africa

by employing various fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations. "These accounts promoted fake offers, including free mobile internet packages, financial compensation, and government subsidy programs," Group-IB analysts Anna Yurtaeva and Viacheslav Shevchenko said . "Victims were encouraged to click embedded links to claim the advertised benefits, but were instead redirected through a chain of intermediary websites that ultimately led to phishing and traffic monetization infrastructure." The Singapore-headquartered cybersecurity company has these campaigns to Sniper Dz , a turnkey phishing-as-a-service (PhaaS) platform that was taken down last month in an INTERPOL-led operation. The findings indicate that the platform goes beyond facilitating credential theft, generating illicit revenue via browser notification abuse, premium SMS subscriptions, premium-rate calls, and investment scams. A "typical Sniper Dz scam victim funnel" begins with localized social engineering lures, with the scammers impersonating well-known telecom providers such as Algérie Télécom to promote fake offers, to direct users to domains hosted on Link in bio services that act as an intermediary layer between the social media post and the final destination. "Rather than directing victims straight to a malicious website, the campaign first routes users through trusted link-aggregation platforms such as Linkbio and Linktree," Group-IB researchers said. "The attackers create decoy landing pages on domains operated by these services." The attack ends with directing victims to a page that obtains browser notification permissions by prompting users to click "Allow" to continue.

Behind the scenes, code embedded in the web page subscribes the web browser to a push notification system using a Voluntary Application Server Identification ( VAPID ) public key. Group-IB said the same VAPID key has been observed across campaigns masquerading as

Telecommunications

providers in

Algeria

and investment-related scams targeting users in multiple regions. "Because VAPID public keys are used to identify the notification service responsible for delivering push messages, their reuse can provide valuable insight into underlying infrastructure relationships," the company said. "The consistent appearance of the same key across otherwise distinct campaigns suggests that the operators are relying on a shared push-notification ecosystem rather than independent infrastructure." Furthermore, the page engages in back button hijacking by injecting 10 fake history states, tricking users into visiting sites that may serve unsolicited ads, or trapping them in a "back-button prison" and within attacker-controlled content to inflate ad impressions, promote scams, or deliver malicious content. "The page also implements a tab-under technique that activates when users interact with certain links," the cybersecurity company noted. If a link opens a new browser tab, a delayed script silently redirects the original tab to another destination controlled by the operators. "This allows the campaign to continue driving traffic through its redirection and monetization infrastructure even after the victim believes they have left the site.

By combining browser notification abuse with history manipulation and tab-under redirections, the operators make it significantly more difficult for users to escape the scam ecosystem." Once users are enrolled into the notification infrastructure, the attacks progress to the monetization phase, routing the victims to a traffic distribution system (TDS) that determines which scam to present based on factors like device type, location, and mobile carrier. Potential pathways include premium-rate call scams, premium SMS subscription fraud, and investment scams. "This campaign demonstrates how modern fraud operations increasingly rely on the abuse of legitimate web technologies rather than traditional malware," Group-IB said. "Instead of infecting devices, the operators exploit trusted platforms, browser features, and social engineering techniques to guide victims through a carefully designed monetization funnel."