Sniper Dz scams use fake Facebook offers to target MENA users

Group-IB researchers said June 15, 2026, that Sniper Dz operators targeted Facebook users across the Middle East and North Africa with fake offers from politicians, public figures, telecom brands, and trusted groups.

The scams promised free mobile data, compensation payments, and government subsidies. Attackers pushed users from Facebook posts to link pages, then to phishing and ad-fraud systems that abused browser notifications, premium SMS services, premium-rate calls, and investment scam pages.

Group-IB tied the activity to Sniper Dz, a phishing-as-a-service platform that law enforcement teams disrupted in an INTERPOL operation in May. The research shows how the operators kept earning money after credential theft, using browser features and traffic brokers to monetize each visit.

Fake offers gave the scams local cover

Group-IB analysts Anna Yurtaeva and Viacheslav Shevchenko said attackers created Facebook accounts that copied the names and imagery of figures and organizations that users in the region knew. In one example, scammers impersonated Algérie Télécom and promoted free internet packages.

The offer pages did not send users straight to a phishing site. Attackers first sent victims through link aggregation services such as Linktree and Linkbio. That choice gave the funnel a cleaner first impression, since many users have seen creators, brands, and small businesses use those services.

From there, the operators redirected users through intermediary domains. A traffic distribution system then chose the next page based on signals such as device type, location, and mobile carrier.

Browser alerts turned one click into repeat contact

Group-IB said the operators coded landing pages to ask users to click "Allow" before they could continue. That click gave the site permission to send browser push notifications.

The page used the Web Push API and a Voluntary Application Server Identification public key, known as VAPID, to subscribe the browser to a notification service. VAPID keys help identify the server that sends push messages.

Group-IB researchers saw the same VAPID public key across telecom-themed scams in Algeria and investment scams aimed at users in several regions. That reuse gave the researchers a link between campaigns that looked separate from the outside.

For defenders, that detail matters more than a single domain. Scam operators can replace landing pages fast, but shared keys, scripts, and routing patterns give investigators stronger infrastructure clues.

The pages trapped users in scam traffic

The operators also used browser history tricks. Group-IB said the pages injected 10 fake history states, so a user who pressed the back button stayed inside attacker-controlled pages or moved to another ad or scam page.

The researchers also described a tab-under technique. After a user clicked some links, the browser opened a new tab, and the original tab changed after a delay. The victim could think they left the scam page while the first tab continued through the operators' traffic system.

Those tactics served a clear business goal: keep the user inside the funnel long enough to sell traffic, show ads, push another scam, or trigger a paid subscription flow.

Sniper Dz shows a fraud model built on web features

Sniper Dz operators did not need to install malware to make money from many victims. They used Facebook trust, link page trust, browser notification permissions, and carrier-based billing paths.

That mix creates problems for users and defenders. A victim may see repeated browser alerts after leaving the original page. A carrier may see premium SMS or call charges. A security team may see scattered domains instead of one stable phishing kit.

Organizations in the region should treat fake subsidy and telecom offers as account-abuse incidents, not only phishing incidents. Security teams should monitor brand impersonation on Facebook, track link aggregation pages that reuse corporate names or logos, and report abusive notification domains to browser vendors and hosting providers.

Users should deny notification prompts on offer pages, leave pages that require "Allow" to continue, and review browser notification permissions after clicking a suspicious link. Chrome, Edge, Firefox, and Safari all let users remove site notification permissions from browser settings.

Telecom providers and public agencies can reduce victim trust in these scams by publishing benefit programs on one verified domain, pinning official social accounts, and warning customers that they will not ask users to activate browser notifications to claim aid or mobile data.