A sophisticated Phishing-as-a-Service (PhaaS) platform known as SniperDz has been facilitating extensive online fraud, extending beyond mere credential theft. This service equips cybercriminals with comprehensive tools to execute large-scale, convincing scams, primarily targeting individuals in the Middle East and North Africa via social media platforms like Facebook and Instagram.
Attackers create fraudulent accounts that impersonate politicians, public figures, and reputable telecom companies. These accounts entice victims with fake offers such as free mobile internet packages, financial compensation, and government subsidies. Clicking on embedded links initiates a multi-stage redirect process, ultimately leading victims to phishing sites controlled by the attackers.
According to Group-IB, SniperDz operates as a centralized, turnkey Push-Notification-as-a-Service (PNaaS) and PhaaS affiliate ecosystem. It hosts over 50 ready-to-use phishing templates that mimic more than 70 globally recognized brands, enabling even individuals with minimal technical expertise to launch convincing phishing campaigns.
The platform’s catalog includes clone pages for financial services like PayPal, social media platforms, streaming services, and gaming marketplaces. To evade detection, SniperDz employs cloaking techniques that display benign error pages when security researchers or automated scanners are detected, allowing the malicious infrastructure to persist across multiple campaigns.
Investigations revealed a recurring Voluntary Application Server Identification (VAPID) public key across all examined samples, linking various campaigns to a shared monetization platform. Additionally, three IP addresses hosted by Horizon IS further confirmed the interconnected nature of the operation, supporting attribution to a unified ecosystem.
The typical attack begins with a localized social engineering lure through a fake social media post. Scammers impersonate well-known telecom providers, such as Algérie Télécom, promoting fake offers promising free mobile data or exclusive subscriber benefits. Victims are initially routed through trusted link-aggregation platforms like Linkbio and Linktree, where attackers create decoy landing pages that appear legitimate.
For instance, fanlnk.to, a domain associated with Linkbio, serves as an intermediary layer between the social media post and the final phishing destination. This strategy exploits the reputation of trusted services, making early attack stages appear normal to both victims and detection systems. Once victims pass the link-aggregation layer, they land on attacker-controlled infrastructure where tracking mechanisms and browser hijacking scripts are deployed.
SniperDz’s ability to provide a comprehensive suite of tools for cybercriminals underscores the evolving nature of PhaaS platforms. By offering ready-made templates and sophisticated evasion techniques, these services lower the barrier to entry for conducting large-scale phishing campaigns. This development highlights the need for continuous vigilance and advanced security measures to protect against increasingly sophisticated cyber threats.
Source: Cyber Security News
