Cybersecurity experts have uncovered a series of scams targeting individuals in the Middle East and North Africa (MENA) region. These schemes utilize fraudulent Facebook accounts that impersonate politicians, public figures, and reputable organizations to lure victims.
These deceptive accounts promote enticing offers, such as free mobile internet packages, financial compensation, and government subsidies. Users are prompted to click on embedded links to claim these benefits. However, instead of receiving the promised rewards, they are redirected through a series of intermediary websites leading to phishing sites and monetization platforms.
Investigations have linked these campaigns to Sniper Dz, a phishing-as-a-service (PhaaS) platform that was dismantled in a recent INTERPOL-led operation. This platform not only facilitated credential theft but also generated illicit revenue through methods like browser notification abuse, premium SMS subscriptions, premium-rate calls, and investment scams.
Deceptive Tactics and Redirection Methods
The scam process typically begins with localized social engineering tactics. Scammers impersonate well-known telecom providers, such as Algérie Télécom, to promote fake offers. Victims are directed to domains hosted on link aggregation services like Linkbio and Linktree, which serve as intermediaries between the social media post and the final malicious destination.
Instead of leading victims directly to a malicious site, the campaign first routes them through these trusted link-aggregation platforms. Attackers create decoy landing pages on domains operated by these services, adding a layer of legitimacy to their schemes.
Browser Notification Exploitation and User Manipulation
Once on the deceptive page, users are prompted to grant browser notification permissions by clicking “Allow” to proceed. Unbeknownst to them, this action subscribes their browser to a push notification system using a Voluntary Application Server Identification (VAPID) public key. Notably, the same VAPID key has been observed across multiple campaigns, including those masquerading as telecommunications providers in Algeria and various investment scams targeting users in different regions.
The consistent use of the same VAPID key across distinct campaigns suggests that the operators rely on a shared push-notification infrastructure rather than independent systems. This shared ecosystem enables the widespread dissemination of malicious notifications.
Additionally, the deceptive page employs back button hijacking by injecting multiple fake history states. This technique traps users within attacker-controlled content, making it challenging to navigate away from the site. It also inflates ad impressions, promotes scams, or delivers malicious content.
Furthermore, the page implements a tab-under technique that activates when users interact with certain links. If a link opens a new browser tab, a delayed script silently redirects the original tab to another destination controlled by the attackers. This method ensures continued traffic through the redirection and monetization infrastructure, even after the victim believes they have left the site.
These sophisticated tactics highlight the evolving nature of cyber threats in the MENA region. Users must remain vigilant, especially when encountering unsolicited offers on social media platforms. It’s crucial to verify the authenticity of such offers and be cautious of granting browser permissions or clicking on unfamiliar links. As cybercriminals continue to refine their methods, awareness and proactive measures are essential to safeguard personal information and financial assets.
