Sniper Dz Scams Target MENA Users via Fake Facebook Offers and Browser Alerts

Threat actors operating under the moniker Sniper Dz have launched social engineering campaigns targeting users across the Middle East and North Africa. The operation relies on fraudulent Facebook accounts impersonating politicians, government officials, and established organizations to distribute deceptive offers.

The scam mechanics center on promoting fake benefits. Victims encounter posts advertising complimentary mobile internet packages, financial compensation claims, and government subsidy programs. When users engage with these posts, attackers redirect them to malicious landing pages or inject browser alerts requesting personal and financial information.

Group-IB researchers identified the infrastructure behind these campaigns and traced connections to previous fraud operations in the region. The threat actors leverage the high volume of legitimate government assistance programs across MENA countries to lend credibility to their fabricated offers. This social engineering approach exploits user trust in official channels and public figures.

The operational scope extends beyond Facebook. Attackers employ browser-based attack vectors, including pop-up alerts designed to mimic legitimate system warnings. These alerts push victims toward credential harvesting pages or malware downloads. The technical execution demonstrates moderate sophistication but relies primarily on psychological manipulation rather than advanced exploits.

Organizations across the MENA region face exposure to employee credential theft through these campaigns. Individuals risk direct financial loss and identity compromise. The use of compromised or newly created accounts makes rapid takedown efforts difficult, as threat actors maintain operational continuity by rotating between multiple Facebook profiles.

The targeting pattern suggests Sniper Dz operates with regional focus and local market knowledge. Researchers observed consistent use of Arabic language content and familiarity with regional government programs and subsidy structures. This indicates the group either operates within MENA countries or maintains active intelligence on regional affairs.

Users should verify offers through official government channels and organization websites rather than social media posts. Multi-factor authentication on social platforms provides additional protection against account compromise. Organizations should conduct phishing