Group-IB has detailed a SniperDz scam ecosystem that turns social media traffic into browser notification subscriptions, premium SMS or call charges, investment leads, and other paid redirect flows. The important part is not only the phishing templates: the same funnel also abuses normal browser features that can keep producing pop-ups after the original tab is closed.
The report, published on June 11, 2026, describes SniperDz as a combined Push-Notification-as-a-Service and Phishing-as-a-Service platform with more than 80 templates impersonating over 30 brands. Group-IB says the operation used fake posts for free mobile internet, financial compensation, government aid, and similar rewards to pull users into multi-step redirects.
How the SniperDz Funnel Works
The campaign starts with familiar social posts or ads, often impersonating a telecom provider, public figure, or trusted organization. Instead of sending people directly to a suspicious domain, the operators first use link-aggregation pages such as Linkbio or Linktree-style landing pages to hide the real destination.
After that, the user is sent to attacker-controlled infrastructure. Group-IB listed examples including win.feezossl[.]xyz, win.anababayala[.]com, and aff.bnaosf1he[.]shop. The final page can show a loading or verification-style screen that asks the visitor to click Allow for browser notifications.
If that permission is granted, the site can send push notifications later, even when the scam page is no longer open. This is the same user-facing problem covered in our browser notification scam removal guide and the broader pop-up ads and browser notifications cleanup hub.
Why This Is More Than a Fake Reward Page
Group-IB found a recurring VAPID public key across examined campaigns, which is a useful clue that different lures shared the same push-notification infrastructure. The researchers also reported browser history manipulation that injects fake history entries, creating a back-button trap that makes it harder to leave the page normally.
Once the visitor is inside the funnel, the infrastructure can choose a monetization path based on device, country, language, carrier, and tracking identifiers. Possible outcomes include premium-rate calls, premium SMS subscriptions, investment lead forms, unsolicited ads, and additional redirect chains. If an offer asks for notification permission, phone number verification, or carrier-billed confirmation, treat it as a billing and privacy risk rather than a normal promotion.
Quick Check: Signs You Hit This Kind of Scam
- A social post promises free mobile data, subsidy payments, a prize, or investment access, but the link passes through several unrelated pages.
- The page says you must click Allow to continue, verify, watch content, claim a reward, or prove you are not a bot.
- The Back button loops you through the same page or opens new tabs instead of returning to the previous site.
- Notifications keep appearing after the tab is closed, especially for prizes, adult content, investment offers, fake antivirus warnings, or app downloads.
- Your phone bill shows unfamiliar premium SMS subscriptions or premium-rate call charges after interacting with a “free” offer.
What To Do If You Clicked Allow
Open your browser’s notification settings and remove any site you do not recognize. In Chrome, Edge, Brave, and many other Chromium browsers, this is usually under Settings, Privacy and security, Site settings, Notifications. On Android, also review app and browser notification permissions from system settings.
Then check your carrier bill for premium SMS or premium-rate call charges. If you see an unfamiliar subscription, contact the carrier and ask them to block or reverse the charge. The billing angle is similar to earlier fake CAPTCHA and premium SMS scams, even when the initial lure looks like a mobile data reward rather than a CAPTCHA.
If the browser keeps opening ads or redirects after permissions are removed, review installed extensions and recently installed apps. The problem can be just a permission, but persistent redirects can also overlap with adware or other unwanted software. Avoid running “cleanup” tools promoted by the pop-ups themselves; use trusted security software or the browser’s built-in reset options.
Concrete Identifiers From the Report
Useful names and indicators to watch include SniperDz, PNaaS, PhaaS, Linkbio-style reward funnels, win.feezossl[.]xyz, win.anababayala[.]com, aff.bnaosf1he[.]shop, and the recurring VAPID key documented by Group-IB. Defanged indicators should not be opened directly.
Source: Group-IB, “Sniper’s Nest: From Brand Impersonation to Browser Hijacking and CPA Fraud”.
