Cybersecurity researchers said a fraud campaign linked to the technical analysis from Group-IB targeted users across the Middle East and North Africa through fake Facebook accounts impersonating politicians, public figures and trusted organizations.
KEY FACTS
- Lures Fake offers included free mobile internet, financial compensation and government subsidy programs.
- Delivery Victims were routed through intermediary sites before reaching phishing and monetization pages.
- Infrastructure The campaign used link aggregation services, browser push notifications and back button hijacking.
- Monetization Final stages could lead to premium SMS, premium-rate calls and investment scams.
The report said the scam often began with localized social engineering, including accounts posing as telecom providers such as Algérie Télécom. Users were then sent to link-in-bio pages that acted as a layer between the social post and the final destination.
The disclosure said the final pages pushed visitors to click Allow to continue, which granted browser notification permissions. The code then subscribed the browser to push messages using a Voluntary Application Server Identification, or VAPID, public key.
Researchers said the same VAPID key appeared in campaigns posing as telecom providers in Algeria and in investment-related scams in other regions. The reuse of that key suggested a shared push-notification ecosystem rather than separate infrastructure.
The campaign also used back-button hijacking by inserting fake history states and a tab-under technique that could redirect the original browser tab after a link opened a new one. Once users were enrolled, a traffic distribution system could route them to different scams based on device type, location and mobile carrier.
WHY IT MATTERS
The campaign shows how fraud operators can abuse legitimate web features and trusted platforms instead of malware to keep victims inside monetization funnels. That makes the activity harder to spot and easier to scale across multiple scam types.