Online Platform
Hacking

Sniper Dz PhaaS Targets Middle East Users

Published  ·  9 min read

Imagine scrolling through Facebook and seeing a post from what looks like your national telecom provider. Free mobile internet package. Click here to claim it.
You click. You follow the links. You press "Allow" on a browser notification prompt because the page says you need to confirm you are human.

Congratulations. You just enrolled yourself in a scam ecosystem that will bombard you with fraudulent offers, premium-rate calls, and subscription traps.
Group-IB researchers have uncovered a widespread Sniper Dz phishing-as-a-service campaign targeting users across the Middle East and North Africa. 

The attackers use fake Facebook accounts impersonating politicians, public figures, and trusted organizations to push victims through a carefully designed monetization funnel.
No malware required. Just trust, clicks, and browser features.

Who Is Behind Sniper Dz?

Quick Security Checklist

  • Scan your system or website
  • Update all dependencies
  • Change passwords
  • Enable 2FA

Sniper Dz is a turnkey phishing-as-a-service platform. It was taken down last month in an INTERPOL-led operation. But the techniques it enables live on.
Group-IB analysts Anna Yurtaeva and Viacheslav Shevchenko detailed how the platform goes beyond simple credential theft. 

It generates illicit revenue through:
1. Browser notification abuse
2. Premium SMS subscriptions
3. Premium-rate phone calls
4. Investment scams

The Sniper Dz phishing-as-a-service campaign is not a single actor. It is a platform that anyone can rent. And the victims are everywhere.

The Victim Funnel: How You Get Caught

The Sniper Dz phishing-as-a-service campaign uses a multi-stage funnel designed to trap users who would never fall for a simple phishing email.

Stage 1: Social Media Deceivers

The fraudsters set up fake Facebook profiles for well-known businesses, organizations and politicians such as:
1. An international telecom company (Algérie Télécom)
2. A national government funding program
3. A high-profile political figure

The con artists continue to post false offers for such things as permanent mobile internet service, cash rewards, and government support. The messages are written in the language and style local to the target audience, while still looking "professional."

Stage 2: Link Aggregator Disguise

Rather than sending their victims directly to a malicious website, the campaign links victims through trusted link-aggregate sites such as Linktree or Linkbio.

Why? Security programs have a higher likelihood of blocking any unknown web addresses than they do known ones, as Linktree has established itself as an acceptable, safe website. The fraudsters build decoy landing pages on legitimate link-aggregate sites to serve as a clean middle layer before their victim is transferred to the "dirty" malicious site.

Stage 3: Browser Notification Exploit

The final destination of the victim is a website that requests permission to send notifications to the browser. The prompt says you need to click "Allow" to continue. Maybe it is a CAPTCHA. Maybe it is age verification.

Behind the scenes, code embedded in the page subscribes your browser to a push notification system using a VAPID (Voluntary Application Server Identification) public key.

Group-IB found the same VAPID key appearing across campaigns masquerading as Algerian telecom providers and investment scams targeting multiple regions. That tells researchers that a shared push-notification ecosystem is running all of this.

Stage 4: Back Button Hijacking

The same page that injects ten of these fake back-history state pages into your browser will also prevent you from going back when you attempt to press the back button and instead will take you through an endless series of newly created, attacker-controlled webpages.

The ability to prevent users from leaving the "back button prison" allows the scam economy to keep users in the scam ecosystem longer while generating more ad impressions, providing additional opportunities for scams, and creating additional revenue.

Stage 5: Tab-Under Redirections

If you click a link that opens a new browser tab, the original tab silently redirects to another attacker-controlled destination. You think you left. You did not.
The Sniper Dz phishing-as-a-service campaign continues driving traffic through its monetization infrastructure even after victims believe they have closed the tab.

The Monetization Phase

Once users are locked into the notification infrastructure, the real revenue generation begins. The system routes victims to a traffic distribution system (TDS) that decides which scam to present based on:
1. Device type
2. Geographic location
3. Mobile carrier

Potential outcomes include:

Premium-rate call scams. The victim is prompted to call a number. The call connects to a premium-rate line. Each minute costs money. The scammer gets a cut.

Subscription fraud via premium SMS services. The user is subscribed without their knowledge and charged to their phone bill once a week. The process of cancelling their subscription can be extremely complicated, if not impossible altogether.

Investment fraud. To separate individuals from their money, investment scams (such as fake trading systems, free cryptocurrency, and high return schemes) employ many different methods to convince users that they should invest in these scams.

Why it Works?

It is because the sniper dz phishing-as-a-service campaign relies on legitimate web technologies to deliver phishing attacks rather than malware or traditional phishing techniques.
1. Facebook is a well-known and trusted source.
2. Linktree is an established and trusted brand.
3. Browser notifications are a common feature of all modern browsers and are also a standard feature of the services.
4. Push notifications continue running in the background even after the victim has closed the browser tab containing the push notification.

All browsers will not block browser notifications, and no firewalls will prevent a victim from clicking on a link for a Linktree page to commence the phishing cycle. The victim who clicks "Allow" will remain a victim.

Who Is Targeted?

Group-IB has collected data that indicates the sniper dz phishing-as-a-service campaign is targeting users in the Middle East and North Africa BY region, with an emphasis on:
1. Algeria (impersonating telecom providers);
2. Various regions (investment scams).

Social engineering lures are localized. The language of the social engineering lures corresponds with the language of the target country. The fraudulent social engineering offer is directly aligned with what a user would be looking for: free data, government assistance, and financial aid.

How to Protect Yourself

The Sniper Dz phishing-as-a-service campaign does not require sophisticated technical defenses. It requires user awareness.

For individuals:

1. If you didn’t ask for the notification to show up on your web–browser, don’t click the button that says Allow.
2. Always verify the website where the notification originated from before allowing it (e.g., does it come from the website (telecom provider) you use for telecom services?).
3. Do not rely on Facebook posts to verify an offer that seems to good to be true (e.g., free data, free money, government compensation). Check these offers through official channels only.
4. You can set your web browser’s default notification prompt to be blocked; then you can add your trusted sites to the list of allowed sites.
5. If you are stuck in a back-button loop, close the tab entirely. Do not keep clicking back.

For organizations:

1. User education on browser notification abuse. Unlike an email that has been traditionally received through phishing, a notification does not have this same history and will look quite different.
2. If you don’t want your users to have access to notifications, you may want to use group policy to block those notifications.
3. Check for any known malicious push notification campaigns using VAPID keys.

The Bigger Picture

Group-IB researchers put it clearly: "This campaign demonstrates how modern fraud operations increasingly rely on the abuse of legitimate web technologies rather than traditional malware."

The Sniper Dz phishing-as-a-service campaign is not innovative because of technical sophistication. It is innovative because it uses the web the way it was designed, just with malicious intent.

Browser notifications are convenient. Link aggregators are useful. Facebook is where people spend time. None of these are going away.
But now you know how they can be weaponized.

The Bottom Line

Sniper Dz was taken down by INTERPOL. But the playbook is public. The platform may be gone, but the technique is not.

If you see a Facebook post offering free mobile data, financial compensation, or government subsidies, be skeptical. If the link goes through Linktree or Linkbio, be more skeptical. If a page asks you to click "Allow" on a notification prompt just to continue, close it.

Your browser notifications are for news, calendar reminders, and maybe Slack. Not for verifying your humanity to claim a free SIM card.

FAQ Section

What is the Sniper Dz phishing-as-a-service campaign?

It is a fraudulent operation using fake Facebook accounts to impersonate trusted organizations, then redirecting victims through Linktree-like services to pages that abuse browser notifications and traffic monetization.

What are the facts behind this scam? 

Scammers post fake ads on Facebook that victims click on. Clicking that ad will direct the victim to a link-sharing website. Finally, the victim will see an ad on the last link that asks for browser notification permissions. After allowing the site to send notifications, they will notice that they've entered a monetization funnel that leads to a premium call or SMS subscription and an investment scam.

Who are the intended targets of these scams?

The scammers are primarily targeting individuals in the Middle East and North Africa, including Algeria, as most of the online ads are located there.

What is the VAPID Key Reuse Concern and Why Is It An Issue?

VAPID keys are utilized for identifying the various push notification services. Group-IB has found VAPID keys to be shared and reused among many different frauds, indicating that these frauds share a common push notification ecosystem."

What Actions Can I Take to Prevent Fraud?

Never accept "yes" to accept browser notification windows unless you requested them when you went to the webpage. Always validate any offers by checking with an independent source. If an offer seems to good to be true, it is usually.

Has Sniper Dz been taken down?

Yes. Sniper Dz was taken down in an INTERPOL-led operation last month. However, the techniques used by the platform can be replicated by other attackers.

Source: The Hacker News
Keywords
Share LinkedIn
PushEngage Supply Chain Attack Hits WordPress Sites Hacking

PushEngage Supply Chain Attack Hits WordPress Sites

Jun 15, 2026
10 Signs Your Business Needs a Penetration Test (Don't Ignore) Awareness

10 Signs Your Business Needs a Penetration Test (Don't Ignore)

Jun 15, 2026
Hidden Local Admin Accounts via Registry & Shadow Hacking

Hidden Local Admin Accounts via Registry & Shadow

Apr 14, 2026
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

Website Recovery Malware removal & incident response
Penetration Testing Authorised attack simulation
Vulnerability Assessment Identify & prioritise weaknesses
Secure Web Development OWASP-aligned, pen tested
Red Teaming Advanced adversary simulation

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067

This website uses cookies to ensure you get the best experience on our website. We need your consent to show personalized or non-personalized ads, and to use cookies for analytics purposes. By clicking "Accept", you consent to the use of cookies and the collection of data as per our Privacy Policy.