{"id":1303,"date":"2026-06-15T07:34:20","date_gmt":"2026-06-15T07:34:20","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1303"},"modified":"2026-06-15T07:34:20","modified_gmt":"2026-06-15T07:34:20","slug":"sniper-dz-scams-target-mena-users-via-fake-facebook-offers-and-browser-alerts","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1303","title":{"rendered":"Sniper Dz Scams Target MENA Users via Fake Facebook Offers and Browser Alerts"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Jun 15, 2026<\/span><\/span>Social Engineering \/ Browser Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have disclosed details of fraudulent activity targeting users across the Middle East and North Africa by employing various fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations.<\/p>\n

\u00abThese accounts promoted fake offers, including free mobile internet packages, financial compensation, and government subsidy programs,\u00bb Group-IB analysts Anna Yurtaeva and Viacheslav Shevchenko said<\/a>.<\/p>\n

\u00abVictims were encouraged to click embedded links to claim the advertised benefits, but were instead redirected through a chain of intermediary websites that ultimately led to phishing and traffic monetization infrastructure.\u00bb<\/p>\n

The Singapore-headquartered cybersecurity company has these campaigns to Sniper Dz, a turnkey phishing-as-a-service (PhaaS) platform that was taken down last month in an INTERPOL-led operation. The findings indicate that the platform goes beyond facilitating credential theft, generating illicit revenue via browser notification abuse, premium SMS subscriptions, premium-rate calls, and investment scams.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

A \u00abtypical Sniper Dz scam victim funnel\u00bb begins with localized social engineering lures, with the scammers impersonating well-known telecom providers such as Alg\u00e9rie T\u00e9l\u00e9com to promote fake offers, to direct users to domains hosted on Link in bio services that act as an intermediary layer between the social media post and the final destination.<\/p>\n

<\/p>\n

\u00abRather than directing victims straight to a malicious website, the campaign first routes users through trusted link-aggregation platforms such as Linkbio and Linktree,\u00bb Group-IB researchers said. \u00abThe attackers create decoy landing pages on domains operated by these services.\u00bb<\/p>\n

The attack ends with directing victims to a page that obtains browser notification permissions by prompting users to click \u00abAllow\u00bb to continue. Behind the scenes, code embedded in the web page subscribes the web browser to a push notification system using a Voluntary Application Server Identification (VAPID<\/a>) public key.<\/p>\n

\"\"<\/a><\/div>\n

Group-IB said the same VAPID key has been observed across campaigns masquerading as telecommunications providers in Algeria and investment-related scams targeting users in multiple regions.<\/p>\n

\u00abBecause VAPID public keys are used to identify the notification service responsible for delivering push messages, their reuse can provide valuable insight into underlying infrastructure relationships,\u00bb the company said. \u00abThe consistent appearance of the same key across otherwise distinct campaigns suggests that the operators are relying on a shared push-notification ecosystem rather than independent infrastructure.\u00bb<\/p>\n

Furthermore, the page engages in back button hijacking by injecting 10 fake history states, tricking users into visiting sites that may serve unsolicited ads, or trapping them in a \u00abback-button prison\u00bb and within attacker-controlled content to inflate ad impressions, promote scams, or deliver malicious content.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe page also implements a tab-under technique that activates when users interact with certain links,\u00bb the cybersecurity company noted. If a link opens a new browser tab, a delayed script silently redirects the original tab to another destination controlled by the operators.<\/p>\n

\u00abThis allows the campaign to continue driving traffic through its redirection and monetization infrastructure even after the victim believes they have left the site. By combining browser notification abuse with history manipulation and tab-under redirections, the operators make it significantly more difficult for users to escape the scam ecosystem.\u00bb<\/p>\n

Once users are enrolled into the notification infrastructure, the attacks progress to the monetization phase, routing the victims to a traffic distribution system (TDS) that determines which scam to present based on factors like device type, location, and mobile carrier. Potential pathways include premium-rate call scams, premium SMS subscription fraud, and investment scams.<\/p>\n

\u00abThis campaign demonstrates how modern fraud operations increasingly rely on the abuse of legitimate web technologies rather than traditional malware,\u00bb Group-IB said. \u00abInstead of infecting devices, the operators exploit trusted platforms, browser features, and social engineering techniques to guide victims through a carefully designed monetization funnel.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Jun 15, 2026Social Engineering \/ Browser Security Cybersecurity researchers have disclosed details of fraudulent activity targeting users across the Middle East and North Africa by employing various fraudulent Facebook…<\/p>\n","protected":false},"author":1,"featured_media":1304,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[940,265,1188,150,161,18,243,2022,492,826],"class_list":["post-1303","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-alerts","tag-browser","tag-facebook","tag-fake","tag-mena","tag-offers","tag-scams","tag-sniper","tag-target","tag-users"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1303"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1303\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1304"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}