Cybersecurity researchers have disclosed details of fraudulent activity targeting users across the Middle East and North Africa by employing various fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations.
“These accounts promoted fake offers, including free mobile internet packages, financial compensation, and government subsidy programs,” Group-IB analysts Anna Yurtaeva and Viacheslav Shevchenko said.
“Victims were encouraged to click embedded links to claim the advertised benefits, but were instead redirected through a chain of intermediary websites that ultimately led to phishing and traffic monetization infrastructure.”
The Singapore-headquartered cybersecurity company has these campaigns to Sniper Dz, a turnkey phishing-as-a-service (PhaaS) platform that was taken down last month in an INTERPOL-led operation. The findings indicate that the platform goes beyond facilitating credential theft, generating illicit revenue via browser notification abuse, premium SMS subscriptions, premium-rate calls, and investment scams.
A “typical Sniper Dz scam victim funnel” begins with localized social engineering lures, with the scammers impersonating well-known telecom providers such as Algérie Télécom to promote fake offers, to direct users to domains hosted on Link in bio services that act as an intermediary layer between the social media post and the final destination.
“Rather than directing victims straight to a malicious website, the campaign first routes users through trusted link-aggregation platforms such as Linkbio and Linktree,” Group-IB researchers said. “The attackers create decoy landing pages on domains operated by these services.”
The attack ends with directing victims to a page that obtains browser notification permissions by prompting users to click “Allow” to continue. Behind the scenes, code embedded in the web page subscribes the web browser to a push notification system using a Voluntary Application Server Identification (VAPID) public key.
Group-IB said the same VAPID key has been observed across campaigns masquerading as telecommunications providers in Algeria and investment-related scams targeting users in multiple regions.
“Because VAPID public keys are used to identify the notification service responsible for delivering push messages, their reuse can provide valuable insight into underlying infrastructure relationships,” the company said. “The consistent appearance of the same key across otherwise distinct campaigns suggests that the operators are relying on a shared push-notification ecosystem rather than independent infrastructure.”
Furthermore, the page engages in back button hijacking by injecting 10 fake history states, tricking users into visiting sites that may serve unsolicited ads, or trapping them in a “back-button prison” and within attacker-controlled content to inflate ad impressions,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
