Cybersecurity experts have uncovered a new scam targeting individuals across the Middle East and North Africa. The scam employs fraudulent Facebook accounts that mimic well-known politicians, public figures, and reputable organizations to deceive users.
Deceptive Online Offers
These accounts promote enticing but fake offers, such as free mobile internet, financial aid, and government subsidies. Unsuspecting victims are lured to click on embedded links, supposedly to claim these benefits, but are instead redirected to a series of intermediary websites leading to phishing sites and traffic monetization schemes.
According to analysts Anna Yurtaeva and Viacheslav Shevchenko from Group-IB, a Singapore-based cybersecurity company, the campaigns are linked to Sniper Dz, a phishing-as-a-service platform dismantled recently in an operation led by INTERPOL. This platform not only facilitates credential theft but also generates illegal revenue through browser notifications, premium SMS subscriptions, and investment scams.
Complex Scam Structure
The typical victim journey begins with local social engineering tactics. Scammers impersonate telecom companies like Algérie Télécom to promote fake offers, directing users to domains hosted on link aggregation platforms such as Linkbio and Linktree. These platforms serve as a bridge between social media posts and the scam’s final destination.
Victims are eventually led to a page that requests browser notification permissions, asking users to click “Allow” to continue. Behind the scenes, this action subscribes the browser to a push notification system using a shared VAPID public key, a method seen in various scams masquerading as telecom and investment offers in different regions.
Advanced Manipulation Techniques
Additionally, the scam employs techniques to trap users, such as back button hijacking, which creates fake history states to prevent users from leaving the scam environment. This technique increases ad impressions and promotes unsolicited content.
The scam also uses a tab-under technique, where clicking a link opens a new tab, and a delayed script redirects the original tab to a scam-controlled site. This ensures the scam continues to operate even when victims think they have exited the site.
Once users are integrated into the notification system, they are directed through a traffic distribution system that selects scams based on device type, location, and mobile carrier. These scams include premium-rate calls, SMS fraud, and investment schemes.
Significance and Future Outlook
This campaign highlights the evolution of fraud tactics, which now exploit legitimate web technologies instead of traditional malware. By leveraging trusted platforms and browser features, scammers effectively guide victims through an intricate monetization process.
As online scams become increasingly sophisticated, it is crucial for users to remain vigilant and for authorities to continue dismantling these networks. Understanding these methods is vital for enhancing cybersecurity measures and protecting users globally.
