Cybersecurity researchers at Group-IB have uncovered a fraudulent campaign targeting users across the Middle East and North Africa (MENA) region. The operation, linked to the Sniper Dz phishing-as-a-service (PhaaS) platform, uses fake Facebook accounts impersonating politicians, public figures, and trusted organizations to promote bogus offers such as free mobile internet packages, financial compensation, and government subsidies.
Victims are lured into clicking embedded links that redirect through intermediary platforms like Linktree and Linkbio before reaching malicious pages. These pages request browser notification permissions using a VAPID public key, which Group-IB found reused across multiple campaigns. The attackers also employ back-button hijacking and tab-under redirection techniques to trap users and inflate ad impressions.
Once enrolled in the notification infrastructure, victims are routed through a traffic distribution system (TDS) that determines the monetization path, including premium-rate calls, SMS subscription fraud, and investment scams. The campaign highlights a shift from traditional malware to abuse of legitimate web technologies and social engineering.
Sniper Dz was taken down in an INTERPOL-led operation last month, but the findings indicate the platform’s infrastructure continues to generate illicit revenue. Group-IB emphasizes the importance of user awareness and browser security to mitigate such threats.
CVEs: CVE-2026-11645
Attack groups: Sniper Dz
Original source: thehackernews.com