A sophisticated Phishing-as-a-Service (PhaaS) platform called SniperDz has been quietly enabling a wide range of online fraud that goes far beyond basic credential theft.
The platform provides cybercriminals with a ready-made toolkit to run convincing scams at scale, targeting victims across the Middle East and North Africa through social media platforms like Facebook and Instagram.
Fraudulent accounts impersonating politicians, public figures, and trusted telecom companies lured victims with fake offers including free mobile internet packages, financial compensation, and government subsidy programs.
When victims clicked embedded links, they were not taken to a legitimate site. Instead, they were funneled through a multi-stage redirect chain that ultimately delivered them to phishing infrastructure controlled by the attackers.
Analysts from Group-IB said in a report shared with Cyber Security News (CSN) that by tracing the campaign’s telemetry and bypassing multiple traffic cloaking layers, they identified SniperDz as a centralized, turnkey Push-Notification-as-a-Service (PNaaS) and PhaaS affiliate ecosystem.
The platform hosts more than 50 ready-to-use phishing templates impersonating over 70 globally recognized brands, making it easy for even low-skilled operators to launch convincing campaigns with minimal technical knowledge.
SniperDz’s catalog targets high-value categories, offering clone pages for financial services like PayPal, social media platforms, streaming services, and gaming marketplaces.
The platform uses cloaking techniques that display benign error pages whenever security researchers or automated scanners are detected, making it difficult to identify and dismantle malicious infrastructure.
This evasion capability allowed the ecosystem to operate across multiple campaigns over a sustained period.
The investigation found a recurring VAPID (Voluntary Application Server Identification) public key shared across all examined samples, providing a critical infrastructure fingerprint linking otherwise separate campaigns to one shared monetization platform.
Three IP addresses, all hosted by Horizon IS, further confirmed the interconnected nature of the operation and supported attribution to a single unified ecosystem.
Hackers Abuse SniperDz PhaaS Ecosystem
The attack typically begins with a localized social engineering lure through a fake social media post.
Scammers impersonate well-known telecom providers, such as Algérie Télécom, promoting fake offers promising free mobile data or exclusive subscriber benefits.
Victims are first routed through trusted link-aggregation platforms like Linkbio and Linktree, where attackers create decoy landing pages that appear entirely legitimate at first glance.
For example, fanlnk.to, a domain associated with Linkbio, served as an intermediary layer between the social media post and the final phishing destination.
This approach exploits the reputation of trusted services, making early attack stages appear normal to both victims and detection systems.
Once victims pass the link-aggregation layer, they land on attacker-controlled infrastructure where tracking, redirection, and monetization mechanisms are applied.
Browser Hijacking and Multi-Track Monetization
The final stage of the funnel directs victims to a page designed to capture browser notification permissions.
The page presents a minimal interface with a loading spinner and a message prompting users to click “Allow” to continue, creating the impression that a legitimate verification step is underway.
Victims grant browser permissions without realizing what they have agreed to. Behind the scenes, the page uses the shared VAPID public key to register browser push subscriptions, and the resulting token along with metadata like language settings is transmitted back to the operator’s server.
The page also injects browser history manipulation code that inserts 10 fake entries into the victim’s navigation history, creating what researchers called a “back-button prison” that prevents easy exit.
A tab-under technique simultaneously redirects the original tab to an attacker-controlled destination if the victim opens a new browser tab.
Once subscribed, victims receive unsolicited advertisements, scam promotions, and malicious content directly through their browser, even after the original page closes.
Users who suspect exposure should review and revoke browser notification permissions through their browser’s site settings immediately.
Redirection chains involving link-aggregation services and unrelated domains should be treated as suspicious, and unexplained premium SMS subscription charges should be reported to the mobile carrier right away.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | win.feezossl[.]xyz | Attacker-controlled redirect/tracking domain used in scam funnel |
| Domain | win.anababayala[.]com | Attacker-controlled redirect/tracking domain used in scam funnel |
| Domain | aff.bnaoswhye[.]shop | Additional phishing domain associated with SniperDz campaign |
| Domain | raviral[.]com | Domain previously identified as part of the SniperDz ecosystem |
| IP Address | 85.85.9[.]245 | Hosted by Horizon IS; associated with SniperDz phishing infrastructure |
| IP Address | 172.172.45[.]112 | Hosted by Horizon IS; associated with SniperDz phishing infrastructure |
| IP Address | 172.162.12[.]452 | Hosted by Horizon IS; associated with SniperDz phishing infrastructure |
| VAPID Public Key | BHR8bZ93X3YNBNQcN_dGRYtnWqdsJXR2bXqq3vhfBL1TpfZqrGKXYxATKGNHa25HyaghKK8ZiaFXbIgJqY2624 | Recurring VAPID public key used across multiple SniperDz campaigns to register browser push subscriptions |
| URL | https://win.feezossl[.]xyz/?utm_medium=91164d58…&utm_campaign=test112 | Sample redirect URL observed in victim funnel |
| URL | https://win.anababayala[.]com/?utm_medium=a412cbbd…&utm_campaign=aulgazer | Sample redirect URL observed in victim funnel |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
