How SniperDz Operates
A Phishing-as-a-Service (PhaaS) platform known as SniperDz is enabling large scale online fraud across the Middle East and North Africa, according to researchers at Group-IB. The service provides cybercriminals with a turnkey toolkit that includes over 50 ready to use phishing templates impersonating more than 70 well known global brands. The platform targets social media users on Facebook and Instagram with fake accounts posing as politicians, public figures, and trusted telecom companies.
Victims are lured with promises of free mobile data packages, financial compensation, or government subsidy programs. Clicking the embedded links triggers a multi stage redirect chain that ultimately routes victims to phishing infrastructure controlled by the attackers. Group-IB analysts identified SniperDz as a centralized Push Notification as a Service (PNaaS) and PhaaS affiliate ecosystem by tracing campaign telemetry and bypassing multiple traffic cloaking layers.
Impact and Scope
SniperDz’s clone page catalog focuses on high value categories including financial services such as PayPal, social media platforms, streaming services, and gaming marketplaces. The platform employs sophisticated cloaking techniques that display benign error pages whenever security researchers or automated scanners are detected, making it difficult to dismantle the malicious infrastructure. This evasion capability has allowed the ecosystem to operate across multiple campaigns over a sustained period.
Investigators discovered a recurring VAPID (Voluntary Application Server Identification) public key shared across all examined samples, which provided a critical infrastructure fingerprint linking separate campaigns to a single monetization platform. Three IP addresses, all hosted by Horizon IS, further confirmed the interconnected nature of the operation and supported attribution to one unified ecosystem even for low skilled operators with minimal technical knowledge.
Source: Cyber Security News
