Sniper’s Nest: From Brand Impersonation to Browser Hijacking and CPA Fraud

Introduction

During an investigation into phishing activity targeting users across the Middle East and North Africa (MENA), Group-IB analysts identified multiple fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations. These accounts promoted fake offers, including free mobile internet packages, financial compensation, and government subsidy programs. Victims were encouraged to click embedded links to claim the advertised benefits, but were instead redirected through a chain of intermediary websites that ultimately led to phishing and traffic monetization infrastructure.

A deeper analysis of the underlying infrastructure revealed that these campaigns were not isolated incidents. By bypassing multiple layers of traffic cloaking and tracing the campaign’s telemetry, Group-IB researchers identified the centralized platform powering the operation: SniperDz, a turnkey Push-Notification-as-a-Service (PNaaS) and Phishing-as-a-Service (PhaaS) affiliate ecosystem.

SniperDz platform provided an extensive library of 80 distinct phishing templates mimicking over 30 highly recognizable global brands. The platform’s catalog deliberately focuses on high-value targets across multiple industries, offering turnkey clone pages for financial services like PayPal, social media platforms like Facebook and Instagram, streaming services like Netflix, and gaming marketplaces like Steam. By leveraging the trusted identities of widely recognized organizations, operators can quickly deploy convincing scam campaigns with minimal technical expertise.

Figure 1: SniperDz platform offering ready-to-use phishing templates of global brands.

Historically, SniperDz has been associated with phishing and credential theft. However, this research shows that phishing is only one part of a broader monetization ecosystem. In addition to harvesting credentials, the platform generates revenue through browser notification abuse, premium SMS subscriptions, premium-rate calls, investment scams, and affiliate marketing schemes.

Group-IB researchers expose the hidden infrastructure behind SniperDz and demonstrate how threat actors abuse trusted services, evade security controls, and convert social media traffic into a scalable source of illicit revenue.

Key Discoveries

• Threat actors impersonate trusted public figures, politicians, telecommunications providers, and well-known brands to lure victims through social media campaigns.
• The operation abuses high-reputation link-aggregation services such as Linktree and Linkbio to conceal malicious destinations and evade automated security controls.
• The platform employs cloaking techniques that suppress malicious content and display benign error pages when security researchers, crawlers, or automated scanners are detected.
• Victims are funneled into browser notification abuse schemes designed to obtain persistent access through push-notification subscriptions.
• Analysis revealed browser history manipulation code that injects fake history entries, effectively creating a “back-button prison” making it difficult for users to leave the page.
• The infrastructure implements tab-under and redirection techniques to keep users within the scam ecosystem and maximize traffic monetization.
• The monetization engine dynamically tailors scam flows based on the victim’s location, device, and mobile carrier, redirecting users to premium SMS subscriptions, premium-rate call services, or other affiliate offers.
• A recurring VAPID (Voluntary Application Server Identification) public key was identified across multiple campaigns, providing a valuable infrastructure fingerprint that links otherwise distinct operations to a shared push-notification ecosystem.
• Investigation of the supporting infrastructure uncovered interconnected domains, IP addresses, and hosting resources associated with more than 900 suspicious domains
• Financial scam campaigns utilize data-harvesting forms to collect personal information, which can be used for follow-on fraud, lead generation, or transfer to affiliated operators.

Who may find this blog interesting:

• Threat intelligence specialists
• Cyber investigators
• Computer Emergency Response Teams (CERT)
• Law enforcement investigators
• Cyber police forces

Group-IB Threat Intelligence Portal: SniperDz

Group-IB customers can access our Threat Intelligence portal for more information about the threat actor SniperDz and the scam mentioned in this blog.

Link in Bio

We have all seen them: Facebook posts or Instagram ads featuring a local politician, a beloved celebrity, or a major telecommunications company promising free internet data, financial assistance, or exclusive promotional rewards.

Figure 2: Example of a scam post with a malicious “link-in-bio” funnel.

At first glance, these campaigns appear to be legitimate marketing promotions. A closer look, however, reveals a sophisticated operation designed to exploit user trust. Behind the attractive offers lies a multi-stage scam ecosystem that leverages trusted web services, social media platforms, and browser features to evade detection and monetize victims.

In this blog, we examine a real-world scam infrastructure and trace its operation from the initial social media lure to the backend systems that drive traffic, harvest user permissions, and generate revenue for the operators. Along the way, we’ll show how threat actors abuse legitimate “link-in-bio” platforms and other trusted services to build an effective and scalable fraud operation.

Anatomy of the Funnel

Modern security systems on platforms such as Facebook are increasingly effective at detecting and blocking known malicious domains. As a result, threat actors have moved away from using direct phishing links. Instead, they rely on multi-stage redirection chains that abuse trusted services and legitimate infrastructure to conceal the true destination and evade automated detection.

Figure 3: Typical SniperDz scam victim funnel.

Phase 1 & 2: Reputation hijacking and the fake verification badge

In this example, the attack begins with a localized social engineering lure. To build trust, scammers impersonate well-known telecom providers such as Algérie Télécom, promoting fake offers that promise free mobile data, internet packages, or other exclusive benefits.

Rather than directing victims straight to a malicious website, the campaign first routes users through trusted link-aggregation platforms such as Linkbio and Linktree. The attackers create decoy landing pages on domains operated by these services. For example, fanlnk.to, a domain associated with Linkbio, which acts as an intermediary layer between the social media post and the final destination.

By abusing trusted link-aggregation platforms, the operators conceal the true destination of their campaigns while benefiting from the reputation of legitimate services. This intermediary layer helps the operation evade automated detection, as social media security systems are less likely to flag links hosted on well-established domains. As a result, the scam can spread more effectively through feeds, groups, and sponsored content before victims are redirected to attacker-controlled infrastructure.

The fake website promises free mobile data with the click of a button. In reality, the offer is nothing more than a lure. Regardless of which option a victim selects, all traffic is routed through the same attacker-controlled domain, which serves as the gateway to the broader scam infrastructure.

The page content was hardcoded in Arabic and crafted to mimic legitimate promotions from local telecommunications providers. The messaging used carrier-specific branding and localized social engineering themes, increasing the likelihood that victims would trust the offer and engage with the page.

Despite presenting multiple options and calls to action, the underlying code revealed that every button directed users to the same outbound tracking URL. Regardless of which option was selected, victims were funneled out of the link-aggregation service and into the attacker’s core infrastructure, where additional tracking, redirection, and monetization mechanisms were applied.

Phase 3: The trap closes (browser hijacking)

The final stage of the funnel directs victims to a page designed to obtain browser notification permissions and maximize long-term engagement. As shown in Figure 5, the page presents a minimalist interface consisting of a loading spinner and a message instructing users to click “Allow” to continue.

The design creates the impression that a legitimate verification or processing step is underway. By presenting the notification request as a required part of the workflow, the page encourages users to grant browser permissions without questioning the request or understanding its implications.

The final stage of the funnel directs victims to a page designed to obtain browser notification permissions and maximize long-term engagement. As shown in Figure 5, the page presents a minimalist interface consisting of a loading spinner and a message instructing users to click “Allow” to continue.

The design creates the impression that a legitimate verification or processing step is underway. By presenting the notification request as a required part of the workflow, the page encourages users to grant browser permissions without questioning the request or understanding its implications.

Figure 5: Social engineering page prompting victims to grant browser notification permissions.

Behind the scenes, the page references the following VAPID public key used to register browser push-notification subscriptions:

Once loaded, the page prompts the user to allow notifications. If the user clicks “Allow,” the script creates a push subscription using this VAPID key and collects the resulting subscription token. The token, along with metadata such as the user’s language settings and tracking identifiers, is then transmitted back to the operator’s server.

During Group-IB analysis, the same VAPID key was observed across every sample examined, including campaigns impersonating telecommunications providers in Algeria and investment-related scams targeting users in multiple regions. Because VAPID public keys are used to identify the notification service responsible for delivering push messages, their reuse can provide valuable insight into underlying infrastructure relationships. The consistent appearance of the same key across otherwise distinct campaigns suggests that the operators are relying on a shared push-notification ecosystem rather than independent infrastructure.

As a result, the VAPID key serves as a useful infrastructure fingerprint, enabling analysts to cluster related activity and connect campaigns that would otherwise appear unrelated. While the observed campaigns used different lures, brands, and themes, the shared notification infrastructure points to a common monetization platform or affiliate ecosystem operating behind the scenes.

Scammers do not rely solely on notification permissions to maintain access to victims. If users realize something is wrong and attempt to leave the page, they encounter additional mechanisms designed to prevent them from exiting the scam flow. Analysis of the page revealed browser history manipulation code that injects 10 fake entries into the victim’s navigation history. As a result, the Back button no longer behaves as expected. Instead of returning to the previous website, users are forced to cycle through a sequence of artificial history states, creating the illusion that they are navigating away while remaining on attacker-controlled content.

The page also implements a tab-under technique that activates when users interact with certain links. If a link opens a new browser tab, a delayed script silently redirects the original tab to another destination controlled by the operators. This allows the campaign to continue driving traffic through its redirection and monetization infrastructure even after the victim believes they have left the site.

Together, these techniques demonstrate a deliberate effort to maximize user retention and traffic value. By combining browser notification abuse with history manipulation and tab-under redirections, the operators make it significantly more difficult for users to escape the scam ecosystem. Once subscribed, victims can receive unsolicited advertisements, scam promotions, and other malicious content directly through their browser, even after the original webpage has been closed. While browser manipulation techniques make it more difficult to escape the ecosystem.

Users who have granted notification permissions can revoke them through their browser’s settings. As shown in Figure 6, notification permissions are managed through the browser’s site settings, where users can review and remove websites that have been granted permission to send notifications.

Figure 6: Browser notification settings showing where users can review and revoke notification permissions granted to suspicious websites.

In most modern browsers, notification permissions can be managed through Settings → Privacy & Security → Site Settings → Notifications (the exact path varies by browser). Users should review the list of authorized websites and remove any unfamiliar or suspicious entries. Revoking the permission immediately prevents the site from sending further push notifications and helps reduce exposure to scam advertisements, phishing lures, and other unwanted content.

Monetization: Following the Money

Once victims are enrolled into the notification infrastructure or redirected through the traffic-routing network, the operation shifts from user acquisition to monetization.

Group-IB analysis shows that the actors operate a centralized traffic distribution system that evaluates factors such as device type, location, and mobile carrier before deciding which scam or affiliate offer to present. Rather than relying on traditional advertising, the infrastructure redirects victims into several revenue-generating schemes.

Premium-rate call scams

One monetization path involves premium-rate telephone services. After identifying the victim’s mobile network, the page displays a call-to-action encouraging them to call a number to claim a prize or verify eligibility for an offer.

In reality, the call connects victims to a premium-rate service where charges are billed directly through their mobile carrier. The operators earn a commission for each successful conversion, turning user engagement into immediate revenue.

Premium SMS subscription fraud

Another common path uses deceptive subscription workflows disguised as quizzes, surveys, or prize eligibility checks. Victims are presented with simple questions and prompted to continue through the process.

Behind the scenes, the interaction is designed to enroll users into premium SMS services that charge recurring fees through their mobile carrier account. These subscriptions can remain active until the victim identifies and cancels the service.

Investment and lead-generation scams

The infrastructure also routes traffic to fake investment opportunities and fraudulent news-style articles that mimic legitimate financial publications. These pages promote schemes such as cryptocurrency investments or stock trading platforms.

Victims are encouraged to submit personal information, including their name, email address, and phone number. The collected data is then transmitted to backend systems where it can be used for follow-up fraud, sold to third parties, or shared with other affiliate operators.

Together, these monetization tracks demonstrate that the operation is not focused on a single scam. Instead, it functions as a traffic brokerage ecosystem, continuously redirecting victims toward whichever offer generates the highest return based on their profile and location.

Connecting the Broader SniperDz Ecosystem

During the research, another domain, aff.bnaosf1he[.]shop, was uncovered (Figure 7) in addition to win.feezossl[.]xyz and win[.]anababayala[.]com. It was observed in a campaign impersonating a prominent political figure in the MENA region.

Further investigation using Group-IB Graph revealed that these domains resolved to a cluster of infrastructure associated with the campaign, including 65.60.9[.]236,108.178.23[.]118 and 184.154.10[.]254. All three IP addresses were hosted by Horizon IQ (horizoniq.com). This common hosting footprint represents an additional infrastructure overlap between the observed domains and supports their attribution to the same operational ecosystem.

Pivoting on these indicators uncovered additional links. Notably, 65.60.9[.]236 was associated through historical DNS records with offer.raviral[.]com, a domain that has already been identified as part of the SniperDz ecosystem.

Figure 7: Group-IB Graph showing connections of phishing domains associated with the SniperDz ecosystem.

The scale of the infrastructure is significant. Collectively, these IP addresses are associated with more than 900 suspicious domains, highlighting the extensive reach of the operation and suggesting a centralized platform supporting numerous phishing and fraud campaigns.

Conclusion

This investigation revealed that what appeared to be isolated social media scams were actually part of a larger, organized ecosystem built around phishing, browser notification abuse, and traffic monetization. By abusing trusted platforms, link-aggregation services, and browser features, the operators created a multi-stage funnel capable of reaching victims at scale while evading traditional detection mechanisms.

The infrastructure artifacts uncovered during this research, including shared routing domains, hosting infrastructure, and a recurring VAPID public key, enabled us to link multiple campaigns together and expose the broader ecosystem behind them.

While the specific domains and lures may change over time, the techniques documented in this report remain highly effective and continue to be used across phishing, subscription fraud, and investment scam campaigns. Understanding the infrastructure behind these operations is critical to identifying and disrupting them before they reach new victims.

Recommendations

This campaign demonstrates how modern fraud operations increasingly rely on the abuse of legitimate web technologies rather than traditional malware. Instead of infecting devices, the operators exploit trusted platforms, browser features, and social engineering techniques to guide victims through a carefully designed monetization funnel.

To reduce the risk of exposure to similar campaigns:

• Verify promotions through official channels. Be cautious of social media posts offering free mobile data, financial assistance, government subsidies, or investment opportunities. Always confirm promotions directly through the official website or social media account of the organization being impersonated.
• Be wary of multi-stage redirects. Legitimate promotions rarely require users to navigate through multiple intermediary websites before reaching their destination. Redirection chains involving link-aggregation services and unrelated domains should be treated as suspicious.
• Treat notification requests with caution. Legitimate telecommunications providers, government agencies, and financial institutions do not require browser notification permissions to deliver rewards or promotional offers. Unexpected requests to click “Allow” should be considered a warning sign.
• Review browser notification permissions regularly. Remove any unfamiliar or suspicious websites from the browser’s notification settings. In most browsers, these permissions can be found under Settings → Privacy & Security → Site Settings → Notifications.
• Monitor mobile carrier charges. Users who interact with suspicious promotions should review their mobile phone bills for unauthorized premium SMS subscriptions or premium-rate call charges and contact their carrier if suspicious activity is detected.
• Report fraudulent social media accounts. Reporting impersonation accounts and scam advertisements helps reduce the reach of these campaigns and limits their ability to target additional victims.

Indicators of Compromise (IOCs)

Network IOCs

• Win.feezossl[.]xyz
• Win[.]anababayala[.]com
• Aff.bnaosf1he[.]shop
• Raviral.[.]com
• 65.60.9[.]236
• 108.178.23[.]118
• 184.154.10[.]254

DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.

Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.

This blog may reference legitimate third-party services such as Linktree, Linkbio and others, solely to illustrate cases where threat actors have abused or misused these platforms.

This material is provided for informational purposes, prepared by Group-IB as part of its own analytical investigation, and reflects recently identified threat activity.

All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship.