Overview
Cybersecurity researchers have disclosed details of a widespread fraudulent campaign targeting users across the Middle East and North Africa (MENA) region. The operation, attributed to a threat group tracked as Sniper Dz, employs a combination of fake Facebook accounts, impersonation of public figures, and deceptive browser push notifications to funnel victims into credential-stealing phishing traps.
The campaign has been observed using hundreds of fraudulent social media accounts that impersonate politicians, celebrities, government ministries, and trusted regional organizations to promote fabricated offers — including free merchandise, lottery winnings, and subsidized government assistance programs.
Attack Vector: Fake Facebook Accounts
Sniper Dz's primary delivery channel relies on Facebook's dominant penetration across the MENA region. Threat actors create or compromise accounts that closely mimic legitimate pages, then use these to spread phishing links at scale. Observed tactics include:
- Cloning official pages of government agencies, telecom providers, and media outlets
- Promoting fake giveaways such as free mobile data SIMs, cash prizes, or discounted consumer goods
- Embedding malicious redirect links that direct users to credential-harvesting landing pages designed to mimic banking, email, or telecom portals
- Boosting posts through Meta's advertising infrastructure to reach larger audiences
The landing pages are convincingly localized — rendered in Arabic, French, or English depending on the target country — and often replicate the look and feel of the impersonated brand with high fidelity.
Browser Alert Abuse
In a secondary delivery technique, Sniper Dz exploits browser push notifications to maintain persistent contact with victims. When users visit a compromised or adversary-controlled website, a prompt requests permission to send browser notifications. Once granted, operators can:
- Push fake security alerts impersonating banks or government agencies
- Deliver fabricated "account suspended" or "prize claim" messages that appear as native OS notifications
- Drive return visits to phishing infrastructure from victims who have already left the initial page
This approach is particularly effective because browser notifications bypass traditional email spam filters and appear to originate from the operating system itself, lending them an air of legitimacy.
Sniper Dz: Phishing-as-a-Service Infrastructure
Researchers assess Sniper Dz operates as a phishing-as-a-service (PhaaS) platform, enabling affiliates to launch targeted campaigns without deep technical expertise. Key features of the platform reportedly include:
- Pre-built, localized landing page templates for major MENA banks and telecoms
- Automated credential harvesting and real-time exfiltration to operator-controlled backends
- An administration panel for managing active campaigns, tracking victims, and updating lure content
- Support for Arabic, French, and English language targeting
Countries observed as targets include Jordan, Morocco, Egypt, Saudi Arabia, Tunisia, and the UAE, reflecting the platform's broad regional reach.
Why MENA Is a High-Value Target
The MENA region has become an increasingly attractive target for phishing operators due to:
- High social media adoption — Facebook penetration exceeds 70% in several MENA countries
- Rapid digital banking growth — Mobile payment and banking adoption has accelerated, creating a large pool of financially active targets
- Awareness gaps — Cybersecurity education and threat awareness remain lower compared to Western markets in many parts of the region
- Politically sensitive environment — Impersonation of government figures or ministries is particularly effective in regions where citizens expect digital communications from authorities
Recommended Defenses
Individuals and organizations in the MENA region should take the following steps:
- Enable multi-factor authentication (MFA) on all social media, email, and banking accounts
- Revoke browser notification permissions for unfamiliar sites — navigate to browser Settings > Privacy > Notifications and audit existing permissions
- Verify URLs carefully before entering credentials, even when following links from what appear to be trusted social media pages
- Report suspicious Facebook pages using Meta's built-in reporting tools to accelerate takedown
- Train staff and family members to recognize social media impersonation patterns — including unsolicited giveaway offers and lottery winnings
- Use a password manager to prevent credential reuse and to detect when a landing page URL does not match the expected domain
Conclusion
The Sniper Dz campaign illustrates the growing sophistication of regional phishing operations that combine social media infrastructure abuse with browser-native notification mechanisms. As threat actors continue to adapt their lures to local languages, cultural context, and trusted brand identities, both technical defenses and user awareness remain essential layers of protection across the MENA region.
Source: The Hacker News