"These accounts promoted fake offers, including free mobile internet packages, financial compensation, and government subsidy programs," Group-IB analysts Anna Yurtaeva and Viaacheslav Shevchenko said.
Group-IB lays out the Sniper Dz playbook
Singapore-headquartered Group-IB published a detailed account of campaigns that used fraudulent Facebook accounts to target users across the Middle East and North Africa. According to the researchers, attackers impersonated politicians, public figures, and trusted organizations to advertise enticing, localized offers. Victims who clicked embedded links were routed through intermediary websites and ultimately funneled into phishing and traffic-monetization infrastructure.
From social post to permission prompt: the typical Sniper Dz funnel
Group-IB describes a repeatable sequence. The operation begins with localized social engineering lures — for example, posts impersonating well-known telecom providers such as Algérie Télécom — that point users to domains hosted on "link in bio" aggregation services. Rather than sending victims straight to a malicious site, the campaigns first created decoy landing pages on platforms like Linkbio and Linktree, using those trusted services as an intermediary layer.
The final destination frequently requests browser notification permissions, prompting users to click "Allow" to continue. Embedded code then subscribes the browser to a push-notification system using a Voluntary Application Server Identification (VAPID) public key. Group-IB notes that the same VAPID key appears across multiple campaigns, an observation investigators used to map relationships inside the ecosystem.
Notification abuse, back-button hijacks, and tab-under tricks
The researchers documented several browser-based techniques designed to trap users and inflate monetization metrics. Pages injected 10 fake history states to hijack the back button and potentially trap victims in attacker-controlled content or drive additional ad impressions. A tab-under technique was also employed: when users opened links in new tabs, a delayed script silently redirected the original tab to other operator-controlled destinations.
By combining browser-notification enrollment with history manipulation and tab-under redirections, the campaigns made it difficult for users to escape the scam ecosystem and allowed operators to keep driving traffic through their monetization chains even after a victim believed they had left the site.
VAPID key reuse points to shared push-notification infrastructure
Group-IB emphasized that VAPID public keys are used to identify the notification service responsible for delivering push messages. The consistent appearance of the same key across otherwise distinct campaigns "suggests that the operators are relying on a shared push-notification ecosystem rather than independent infrastructure," the company said. That technical fingerprinting provided a clue to the underlying relationships linking scams that impersonated telecoms in Algeria and investment-related schemes in other regions.
Monetization paths: TDS routing to premium SMS, calls, and investment scams
Once a browser is enrolled into the notification system, victims are handed to a traffic distribution system (TDS) that decides which monetization path to present based on device type, location, and mobile carrier. Potential outcomes listed by Group-IB include premium-rate call scams, premium SMS subscription fraud, and investment scams. The report stresses that Sniper Dz — a turnkey phishing-as-a-service platform — went beyond traditional credential theft to generate illicit revenue through browser notification abuse, premium SMS subscriptions, premium-rate calls, and investment fraud.
What this means for technologists, policymakers, and end users
- Technologists and security teams: Monitor for the reuse of VAPID keys and for referrals coming from link-aggregation domains such as Linkbio and Linktree; instrument detection for history-state manipulation and tab-under redirections that indicate monetization funnels rather than conventional phishing pages.
- Policymakers and regulators: Be alert to the monetization paths described — premium SMS and premium-rate calls — and how legitimate web features can be abused; the takedown of Sniper Dz in an INTERPOL-led operation shows one enforcement route, but the report suggests the underlying push-notification ecosystem may be shared across campaigns.
- End users and the general public: Treat unexpected social-media offers that require clicking through multiple link-aggregation pages with caution, and be wary of permission prompts that ask to send browser notifications; in these campaigns clicking "Allow" was the step that enrolled browsers into persistent, monetized notification streams.
The INTERPOL-led takedown last month removed the Sniper Dz platform, but Group-IB's findings show operators relied on legitimate web technologies — link-aggregation services, browser push APIs, and navigation tricks — to assemble a profitable fraud ecosystem. The reuse of a single VAPID key across diverse scams may help investigators trace infrastructure, but the techniques documented in the report underscore how easily everyday browser features can be repurposed for large-scale monetization and deception.
Original reporting: https://thehackernews.com/2026/06/sniper-dz-scams-target-mena-users-via.html
