Blogs

The Free Smartwatch Scam: Anatomy of a MENA Financial Phishing Campaign

Jul 8, 2026 7 min read
The Free Smartwatch Scam: Anatomy of a MENA Financial Phishing Campaign

Overview

Free smartwatches don’t exist. Yet across the MENA region, thousands of banking and payment customers are clicking on ads that promise exactly that and handing over their online banking credentials in the process.

Over the past several weeks, we’ve been tracking a coordinated social-engineering campaign targeting clients of financial service providers (FSPs) across the MENA region. The payoff for the attackers is direct financial account takeover. This blog breaks down how the campaign works, the infrastructure patterns behind it, and what defenders both institutions and customers can do to catch it early.

In this blog, we’ll walk through the phases we went through to get here: how we built a persona to engage the threat actors directly, what that engagement revealed about their techniques and infrastructure, and how the attack unfolds end-to-end from the victim’s perspective before closing with detection and defense recommendations for FSPs and customers alike.

Phase-1: Building a Persona

Most of what’s described in this blog wasn’t pieced together from passive reporting alone, we went looking for it. To understand how the private-channel side of this campaign actually operated, we built a sock puppet: a fictitious social media persona designed to pass as an ordinary customer.

Meet Abdullah Samir, our sock puppet:

Abdullah doesn’t exist, but on paper he’s about as ordinary as a prospective bank customer gets:

A 53-year-old man with a believable local name, a profile picture, and a plausible activity history. His defining trait is the one that matters most for this campaign: he’s generally drawn to anything that promises more money in his pocket – free offers, giveaways, cashback deals, “limited time” promotions

the exact profile a threat actor running this technique is fishing for. That, combined with enough ordinary engagement (likes, comments, follows on unrelated pages) to avoid looking freshly created or purpose-built, made him the ideal target persona: forgettable enough to pass as a genuine lead, and primed to take the bait.

Phase-2: Taking the Bait – Engaging with the threat actors

With Abdullah in place, we sent him out into the same social media feeds a real prospective customer would scroll through. It didn’t take long to find what we were looking for: fake brand pages impersonating banks like Mashreq, CIB, the Housing Bank, and payment services like STC Pay, running ads offering a “free smart watch” to existing customers. The creative was polished – bank logos, brand colors, product renders, and copy in the local language urging Abdullah to “claim now” before the offer ran out. Exactly the kind of post his profile was built to fall for.

Beyond a single exchange, Abdullah reached out and showed interest across multiple different fake pages and threat actors running this same offer, rather than stopping after the first response.

Each new conversation gave us another independent data point, a different phishing domain, a different response pattern, a different level of automation, which let us build out the fuller infrastructure and behavioral picture in this post instead of drawing conclusions from a single, potentially unrepresentative interaction.

Phase-3: Threat Analysis

With the domains, page behavior, and conversation patterns Abdullah collected across multiple engagements, we could finally step back from individual interactions and analyze the campaign as a whole. Two things stood out immediately.

Across the campaigns we tracked, the threat actors consistently showed two distinct behaviors when posting their ads and posts:

  1. Sharing it with the ad for bulk access (the phishing site attached here has a high possibility of being down, since it’s the version exposed to public reporting and takedown crawlers).
  2. Sharing it through a private channel with potential victims who reach out for the smartwatch, specifically to avoid site takedowns.

Observed Techniques:

We have observed that Threat Actors are using different manipulation techniques such as:

Tier 1: Abuse of Trusted Websites builders’ Subdomains:

The actors leverage legitimate application builders and cloud deployment platforms specifically Netlify, Wix, and Lovable to host their landing pages having a Trusted subdomain that belongs to the builder like:

  • lovable[.]app
  • wixsite[.]com
  • stc-pay-card[.]netlify[.]app
  • lovable[.]app 

This is a deliberate trade-off. These subdomains inherit a trusted, high-reputation root domain, so they sail past many domain-reputation and category-based filters that would flag a brand-new .com. The cost is resilience: a single abuse report to the platform can kill the page in minutes, which is why these are treated as burner infrastructure, spun up fast, expected to die fast, and replaced just as quickly.

Tier 2: Brand-Impersonation (Lookalike) Domains:

For a more durable presence, the actors register typosquatted or combosquatted domains that mimic the Financial Service Provider’s actual name using:

typosquatting (small misspellings or character swaps of the real brand name)
and
combosquatting (combining the brand name with extra words like “pay,” “card,” or “cash”)

To make the phishing domain look and read like it belongs to the targeted FSP:

  • axispay[.]org
  • masreqqwahcts[.]com
  • watchmshreq[.]store

These take more effort, registration, DNS, sometimes even TLS setup, but they pay off in two ways: they look far more convincing to a victim glancing at the address bar, and because they’re actor-owned infrastructure rather than a shared platform, there’s no third-party trust-and-safety team who can pull the plug overnight.

Registrar and hosting-provider takedowns are slower and require more evidence, buying the campaign extra runtime.

The pattern is a cost-versus-durability curve, and mature campaigns run both tiers simultaneously,

  • cheap, disposable pages for volume.
  • harder-to-kill impersonation domains for sustained operations.

Attack Chain

  1. After the client clicks the link he is being directed to a phishing page having the same visual identity of the financial services provider customized to make the fake offer appears legitimate.

  1. After the client clicks obtain the smartwatch it redirect him/her to another page that asks for the information that the Threat Actor will need to access the victim’s Account with the financial service provider.
  2. Once the Victim fills the information and press confirm he will be directed to an OTP page, Meanwhile the information will be sent to an active threat actor in the background waiting for the credentials, then he is going to login with the credentials he is having or, make  a password forget request sending an otp to the actual  client on his phone number/email.
  3. After the Victim receives the OTP he enters it in the OTP Page and confirms it. Meanwhile, the threat actor receives the OTP and login into the victim’s account.
  1. The Threat Actor initiates financial Transactions on the account of the victim through external/internal not trackable accounts.
  2. When the client reaches to the Financial Service Provider to dispute the transaction, the support team confirms that the transaction have been made through the client’s account and they can’t do anything for that because the protecting client’s credentials is their own responsibility.

Note:

Some Threat Actors could automate the process in the background so it requires the minimum effort from them in case of high-volume requests.

Technical Infrastructure Breakdown

Hosting Platforms: Lovale, Wix

Domain Origin:  Hosted natively on infrastructure or newly registered (Observed starting May 20, 2026)

SSL Configuration: Short-term automated certificates (3-Month Free via Let’s Encrypt / Google Trust Services)

DNS Routing: Proxied behind Cloudflare

Detected IOCs:

After our analysis, we have shared the IOCs through our feeds which you can access through the following link: dPhish Feeds,

Additionally, all our feeds are automatically included in our Phishing Detection & Response Engine: Discover

Domains IOCs:

axispay[.]org
www-axispay-org[.]filesusr[.]com
bnnkecciibmssr[.]lovable[.]app
norann[.]lovable[.]app
eggeymasshreqbnnk[.]lovable[.]app
masshreqqbnkmsre[.]lovable[.]app
mashreq-egy[.]netlify[.]app
fawaitile[.]shop
masreqqwahcts[.]com
alnwrannwran8[.]wixsite[.]com
watchmshreq[.]store
stc-pay-card[.]netlify[.]app


Leave a Reply

Your email address will not be published. Required fields are marked *