Researchers at Group-IB have pulled back the curtain on SniperDz, a turnkey criminal service that lets low-skilled fraudsters spin up convincing fake login pages and scam funnels in minutes, then turns stolen social media clicks into a steady stream of illicit revenue. The platform sits behind a wave of scams that Group-IB first spotted while investigating fraudulent Facebook accounts impersonating politicians, celebrities, and trusted brands across the Middle East and North Africa.
SniperDz operates as both Phishing-as-a-Service (PhaaS) and Push-Notification-as-a-Service (PNaaS), meaning it rents out ready-made phishing kits and the plumbing to abuse browser notifications. Its catalog includes 80 distinct templates cloning more than 30 well-known brands, among them PayPal, Facebook, Instagram, Netflix, and Steam, so an affiliate can launch a credible scam with almost no technical skill.
How the scam works
The lures usually start as social media posts promising free mobile data, government subsidies, or cash compensation. To slip past platform defenses that block known bad links, the operators route victims through trusted link-in-bio services such as Linktree and Linkbio before landing them on the real scam infrastructure. Cloaking code detects security crawlers and scanners and shows them harmless error pages, while real victims are funneled deeper.
Once a victim arrives, the platform squeezes value from them in several ways. It pushes browser notification subscriptions for persistent access, injects fake browser history entries to create what Group-IB calls a back-button prison that traps users on the page, and uses tab-under and redirection tricks to keep them inside the scam. A monetization engine tailors the flow to each visitor's location, device, and mobile carrier, steering them toward premium SMS subscriptions, premium-rate calls, investment scams, or data-harvesting forms.
How widespread it is
Group-IB says the supporting infrastructure spans more than 900 suspicious domains, tied together by shared hosting and a recurring VAPID push-notification key that acts as a fingerprint linking otherwise separate campaigns. That reuse let analysts connect operations that looked unrelated on the surface.
What you should do
Be wary of social media offers that sound too good to be true, especially free data or government payouts promoted through link-in-bio pages. Never grant browser notification permission to an unfamiliar site, and review the notification permissions already granted in your browser settings. Security teams can use the indicators below, and the VAPID-key fingerprinting described by Group-IB, to hunt for related infrastructure. The subscription model mirrors the SilabRAT crypto-stealer service, another sign of crimeware now sold like software.
Indicators of compromise
- hxxps://win[.]feezossl[.]xyz/
- hxxps://win[.]anababayala[.]com/
- 65[.]60[.]9[.]236
- 108[.]178[.]23[.]118
- 184[.]154[.]10[.]254
Full technical detail is available in the original Group-IB report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.