Full Report
Cybersecurity researchers have disclosed details of fraudulent activity targeting users across the Middle East and North Africa by employing various fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations. "These accounts promoted fake offers, including free mobile internet packages, financial compensation, and government subsidy programs," Group-IB
Analysis Summary
# Incident Report: Sniper Dz Phishing-as-a-Service (PhaaS) Campaign
## Executive Summary
Cybersecurity researchers at Group-IB have uncovered a multi-stage fraudulent operation orchestrated by the "Sniper Dz" PhaaS platform targeting users in the MENA region. The campaign leverages social engineering via Facebook to impersonate public figures and organizations, utilizing advanced browser manipulation techniques for traffic monetization and credential theft. Despite an INTERPOL-led takedown of the platform's primary infrastructure, the underlying monetization and notification ecosystems remain active.
## Incident Details
- **Discovery Date:** June 15, 2026 (Public Disclosure)
- **Incident Date:** Ongoing (Pre-dating May 2026 takedown)
- **Affected Organization:** Users of Facebook and customers of MENA-based entities (e.g., Algérie Télécom)
- **Sector:** Telecommunications, Government, Finance
- **Geography:** Middle East and North Africa (MENA), specifically Algeria
## Timeline of Events
### Initial Access
- **Date/Time:** 2024–2026
- **Vector:** Social Engineering / Malvertising
- **Details:** Attackers created fraudulent Facebook accounts impersonating politicians and trusted brands. These accounts promoted "free" government subsidies or internet packages to lure victims into clicking embedded links.
### Lateral Movement
- **N/A:** As this was a consumer-facing fraud campaign, movement was focused on the "victim funnel" rather than a corporate network. Attackers moved victims through "Link-in-bio" services (Linktree, Linkbio) to bypass social media security filters.
### Data Exfiltration/Impact
- **Details:** Credential theft (via phishing pages) and financial theft through unauthorized premium SMS subscriptions and premium-rate calls.
### Detection & Response
- **Discovery:** Group-IB identified shared VAPID keys across multiple distinct scam domains.
- **Response Actions:** INTERPOL conducted an operation in May 2026 to take down the Sniper Dz PhaaS infrastructure.
## Attack Methodology
- **Initial Access:** Fraudulent Facebook posts and impersonation accounts.
- **Persistence:** Abuse of Browser Push Notifications (VAPID) to send repeated malicious alerts even after the site is closed.
- **Defense Evasion:** Use of trusted intermediary domains (hxxps[://]linktr[.]ee), "Back-button Hijacking" (injecting history states), and "Tab-under" techniques to redirect users silently.
- **Credential Access:** Harvesting credentials via localized phishing landing pages.
- **Discovery:** Traffic Distribution Systems (TDS) used to fingerprint victims (IP, device, carrier) for tailored scams.
- **Exfiltration:** Redirection to premium-rate subscription services.
- **Impact:** Financial fraud via "monetization infrastructure" and browser-based "back-button prison."
## Impact Assessment
- **Financial:** Extensive illicit revenue generated via premium SMS and investment scams.
- **Data Breach:** Compromise of social media and telecom account credentials.
- **Operational:** Disruption of legitimate services for impersonated entities (e.g., Algérie Télécom).
- **Reputational:** Erosion of trust in Facebook as a platform and in the public figures/organizations impersonated.
## Indicators of Compromise
- **Network Indicators:**
- Trusted link-aggregation domains used maliciously: `hxxps[://]linktr[.]ee/[redacted]` and `hxxps[://]linkbio[.]co/[redacted]`.
- Shared VAPID Public Keys observed across regional campaigns.
- **Behavioral Indicators:**
- Automated injection of 10+ browser history states.
- Delayed "Tab-under" redirection scripts.
- Unauthorized prompts for browser notification permissions.
## Response Actions
- **Containment:** INTERPOL-led takedown of the Sniper Dz infrastructure.
- **Eradication:** Identification and flagging of malicious VAPID keys by Group-IB.
- **Recovery:** Public disclosure and intelligence sharing to block active redirection domains.
## Lessons Learned
- **Technology Abuse:** Modern fraud increasingly relies on abusing legitimate web features (VAPID, browser history API) rather than traditional malware files.
- **Ecosystem Persistence:** Taking down a PhaaS platform does not immediately neutralize the shared infrastructure (TDS and notification keys) used by affiliates.
- **Social Media Vulnerability:** Trusted "Link-in-bio" services remain a significant blind spot for automated social media moderation.
## Recommendations
- **User Training:** Educate users to recognize that government or telecom subsidies will rarely be distributed via third-party "Linktree" links on Facebook.
- **Technical Controls:** Organizations should monitor for their brands on social media and implement DMARC/look-alike domain monitoring.
- **Browser Security:** Encourage the use of browser settings that block or prompt for push notification requests by default.