ProxyShellMiner is being distributed to Windows endpoints by a very elusive malware operation, according to Morphisec.
To generate income for the attackers, “ProxyShellMiner” deploys cryptocurrency miners throughout a Windows domain using the Microsoft Exchange ProxyShell vulnerabilities.
“After successfully breaching an Exchange server and obtaining control, the attackers use the domain controller’s NETLOGON folder to ensure the miner executes throughout the domain, similar to how software is delivered through GPO”, Morphisec reports.
Researchers noticed that the attackers were utilizing four C2 servers. The legitimate, infected mail servers are all where the malware-dependent files are stored.
“Mining cryptocurrency on an organization’s network can lead to system performance degradation, increased power consumption, equipment overheating, and can stop services”, according to Morphisec.
Technical Analysis of the ProxyShellMiner Malware
The malware needs a command line parameter that acts as a password for the XMRig miner component in order to activate.
“This parameter is later used as a key for the XMRig miner configuration, and as an anti-runtime analysis tactic”, Morphisec
The parameter serves as an anti-analysis technique and as a password for the XMrig miner
The XOR decryption algorithm, an XOR key, and an embedded dictionary are all used by ProxyShellMiner. The subsequent embedded code modules are then executed using the C# compiler CSC.exe with “InMemory” compile parameters.
The malware then downloads a file with the name “DC DLL” and uses .NET reflection to get the task scheduler, XML, and XMRig key arguments. The decryption of additional files is done using the DLL file.
By setting up a scheduled activity to start when the user logs in, a second downloader achieves persistence on the compromised system. The report says four other files and the second loader are downloaded from a remote resource.
The deobfuscated scheduled task
Using a technique called “process hollowing,” that file determines which of the installed browsers on the hacked system would be used to inject the miner into its memory space. The mining process then starts after selecting a random mining pool from a hardcoded list.
Picking a mining pool
Setting a firewall rule that blocks all outgoing traffic and is applicable to all Windows Firewall profiles is the last stage in the attack chain. This is done to reduce the likelihood that defenders may find infection signs or get notifications about a possible compromise from the compromised system.
“The malware waits at least 30 seconds while the target machine blocks any outbound connection. It does this to tamper with the process runtime behavior analysis of common security solutions”, researchers.
Adding a firewall rule to block all outgoing traffic
Final Thoughts
ProxyShellMiner doesn’t just disrupt business networks, drive up power bills, overheat equipment, and stop services from operating. It gives threat actors access to further evil purposes.
“Once attackers have a foothold in a network, they have deployed web shells, backdoors, and used tunneling utilities to further compromise victim organizations”, Morphisec
Hence, Morphisec encourages all administrators to install all available security updates and employ thorough and all-encompassing threat detection and defense measures to reduce the danger of ProxyShellMiner attacks.
Is your iPhone claiming that you’ve been hacked, your phone isn’t protected, or that viruses have damaged it? It could be calendar spam.
If you open up your iPhone and see a variety of messages claiming that you’ve been hacked, your phone is not protected, that viruses have damaged your phone, or, my personal favourite, “Click to get rid of annoying ads”, fear not. It’s quite possible you’ve accidentally wandered into a common form of scam: Calendar spam.
Calendar spam is a way for scammers to insert nonsensical claims, offers, and warnings with potentially harmful links into your calendar, which triggers notifications on your device.
How you get it
The most common techniques for spreading calendar spam are bogus adverts, popups, and other forms of coding used on websites which may be of a questionable nature. They can be found on pornography sites, but also file sharing sites, unofficial streaming platforms, gaming sites, random blogs, pretty much anywhere at all.
Calendar applications like iCal make it easy to add public calendars, which are just URLs, and the scammers exploit that ease of use. The aim of the scammers’ game is to get unsuspecting users to accept a calendar subscription. Often, they will obscure the subscription with a distraction. For example, a user may be asked to confirm that they’re a human via CAPTCHA. The user clicks through, and before they realise it, they’ve also clicked “OK” to a follow-up message containing a calendar subscription.
Should you accept one of these subscriptions, the spam calendar and all related events will be added to your calendar app. The events in the calendar contain alerts, which generate notifications, which could leave your screen looking a little something like this. Should you venture into your calendar, a tangled mess of calendar entries awaits.
The links in the calendar entries lead to the usual range of spam, surveys, bogus apps, fake security tools, and more besides. They have nothing you want or need to be wasting your time on. With this in mind, what can you do about it?
How to remove it
This is such a problem point for Apple that a dedicated page exists for just this problem. There are two ways to remove calendar spam, and it’s dependent on which iOS version you use. From the help pages:
iOS 14.6 or later
Open the Calendars app.
Tap the unwanted Calendar event.
Tap Unsubscribe from this Calendar at the bottom of the screen.
To confirm, tap Unsubscribe.
Earlier versions of iOS
Open the Calendar app.
At the bottom of the screen, tap Calendars.
Look for a calendar that you don’t recognize. Tap the More Info button next to that calendar, then scroll down and tap Delete Calendar.
If this doesn’t fix the issue, delete the calendar subscription in Settings:
Open the Settings app.
Tap Calendar > Accounts. Or if you use iOS 13, tap Passwords & Accounts > Accounts instead.
Tap Subscribed Calendars.
Look for a calendar that you don’t recognize. Tap it, then tap Delete Account.
Not just iPhone
Spammers will try and abuse all sorts of devices, apps, and systems in order to besiege you with calendar spam (or even calendar-style spam) notification alerts. In 2019, Google Calendar users were hit with a wave of spam notifications, and Calendly users were impacted by phishers abusing the service in 2022. In that same year, new safety features appeared for Google Docs users in order to give users a little more confidence that notifications were not bogus.
No matter the device or service, anything with notification ability could be a target. In many ways, phone calendar spam is a perfect fit for phones where everyday misclicks are very common. It only takes one spam calendar prompt hidden behind something else and a split second lapse in attention for the scammers to stake a claim on your phone.
The good news is that once you understand how the scam works, it’s very easy to remove the notifications and keep your phone free from endless spam notifications.
Keeping your calendars spam free
Be careful where you click. Scammers have to fool you into subscribing to a calendar for this to work, so read before you click! If you do add a calendar prompt, don’t panic. Follow the removal instructions above.
Use Malwarebytes for iOS. It can block rogue websites and adverts, the two primary causes of unwanted calendar prompts.
Stay safe out there!
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Samsung‘s One UI 5.1 update is available for the Galaxy S22 series in the US. Both carrier-locked and unlocked variants are getting the new One UI version stateside. The rollout began a few days back in Europe.
One UI 5.1 is the latest iteration of Samsung’s Android-based custom software. Built on top of Android 13, the new version debuted with the Galaxy S23 series, which launched on February 1. The Korean firm started rolling it out to older Galaxy models earlier this week. As expected, the Galaxy S22 series was the first to get it. Following the initial rollout in Europe, the update is now available in the US too.
The latest update for the Galaxy S22, Galaxy S22+, and Galaxy S22 Ultra in the US comes with the firmware build numbers S901USQU2CWAI (carrier-locked) and S901U1UEU2CWAI (unlocked). Along with One UI 5.1 goodies, the phones are also getting the February 2023 Android security patch. The new security release contains more than 50 vulnerability fixes, including a few critical ones.
But we are still more interested in One UI 5.1. The new One UI version brings a host of new features and improvements. Samsung has added new options to the stock camera app and also introduced new editing features. The update also adds English support for Bixby Text Call, Samsung Notes collaboration, improved widgets, improved multitasking, more Modes and Routines, smart suggestions, and more. You can refer to Samsung’s official changelog for all One UI 5.1 features.
One UI 5.1 will reach more Galaxy devices in the US
The Galaxy S22 series may have picked up the One UI 5.1 update first, but Samsung also seeded the new One UI version to the Galaxy S21, Galaxy S20, Galaxy Z Fold 4, Galaxy Z Flip 4, Galaxy Z Fold 3, Galaxy Z flip 3, and a few more Galaxy devices in a span of just a few hours. The rollout for all of these devices began in Europe. The company is now bringing the update to more markets. Users of these devices in the US should get One UI 5.1 soon.
As usual, you will get a notification once the OTA (over the air) release becomes available for your phone. Alternatively, you can open the Settings app on your phone, go to the Software update menu, and tap on Download and install to check for updates manually. Repeat the steps a few days later if you don’t see many updates today. We will let you know when Samsung releases the One UI 5.1 update for other Galaxy devices in the US.
According to the BBC, Elon Musk donated $1.95 billion of Tesla stock to charity between August and December last year. This charitable act is revealed in a regulatory filing and described as “a bona fide gift.” Yet, the recipient or recipients of these billions need to be clarified, and the filing didn’t reveal the names.
Of course, this is not the first time that Musk is donating billions of dollars of Tesla shares to charities. Back in 2021, he gave up $5.74 billion of shares. Additionally, he promised to donate $20 million to Cameron County schools and $10 million to the city of Brownsville in Texas for the so-called “downtown revitalization.”
Musk has recently lost his position as the wealthiest man on the planet and was replaced by Bernard Arnault, co-founder, chair, and CEO of LVMH. The reports also claim Musk lost $200 billion of his wealth in over a year.
Elon Musk donates almost $2 billion of Tesla stock to charity while the company’s stock is plummeting
Elon Musk is probably one of the most controversial people in the world due to his Twitter takeover and the radical changes he made to the social media company. Of course, Musk’s occupation as Twitter CEO didn’t go well with Tesla shareholders. They complained Musk is devoting much of his focus and time to Twitter, and the EV maker is running on a wing and prayer.
Despite growth in pre-orders and EV delivery, Tesla stock is plummeting. The company stock has fallen 45% over two months, and it’s not showing any sign of recovery (via ABC News). That’s why Elon Musk is now more serious about leaving his executive role at Twitter and returning to Tesla.
The billionaire recently said the end of this year might be a good time for him to find another CEO for Twitter. “I think I need to stabilize the organization and just make sure it’s in a financially healthy place and that the product roadmap is clearly laid out,” Musk added.
A long-standing rumor suggests that the Facebook and Facebook Messenger apps drain the battery on cellphones that have the apps installed. If you believe former Facebook employee George Hayward, a data scientist, Facebook can secretly drain the battery on its users’ cellphones on purpose. As reported by The New York Post, there is actually a name for what it is that Facebook is doing, It is called “negative testing” and it allows tech companies to secretly run down the batteries on someone’s phone in order to test features on an app or to see how an image might load.
Hayward was fired by Facebook parent Meta for refusing to participate in negative testing. “I said to the manager, ‘This can harm somebody,’ and she said by harming a few we can help the greater masses. Any data scientist worth his or her salt will know, Don’t hurt people,” he told the Post.
Hayward was axed by Meta in November and originally filed a lawsuit against the company in Manhattan Federal Court. The 33-year-old worked for Meta’s Facebook Messenger app which delivers text, phone calls, and video calls between users. In the suit, Hayward’s attorney, Dan Kaiser, pointed out that draining users’ smartphone batteries puts people at risk especially “in circumstances where they need to communicate with others, including but not limited to police or other rescue workers.”
Social media apps like Facebook Messenger can intentionally drain the batteries powering users’ smartphones
The suit had to be withdrawn because Meta’s terms of employment forced Hayward to argue his case in arbitration. Kaiser says that most people have no idea that Facebook and other social media companies can drain your battery intentionally. Commenting on the practice of negative testing, the lawyer added, “It’s clearly illegal. It’s enraging that my phone, that the battery can be manipulated by anyone.”
Originally hired in 2019, Hayward was receiving a six-figure annual paycheck from Meta. But when it came to the company’s request to perform the negative testing, Hayward said, “I refused to do this test. It turns out if you tell your boss, ‘No, that’s illegal,’ it doesn’t go over very well.”
At one point during his employment at Meta, the company handed Hayward an internal training document titled “How to run thoughtful negative tests.” The document included examples of how to run such tests. After reading the document, Hayward said that it appeared to him that Facebook had used negative testing before. He added, “I have never seen a more horrible document in my career.”
Protect yourself from PayPal phishing attacks: Learn to spot the signs of a spoofed email and avoid falling for scams that use legitimate PayPal accounts to deceive unsuspecting victims.
PayPal has been one of the most lucrative targets for hackers and spammers which is why customers often complain about phishing scams. Now, the cybersecurity researchers at Avanan have discovered that cybercriminals are once again exploiting PayPal’s online payment system to send malicious invoices directly to users.
In the ongoing campaign, attackers are reportedly abusing PayPal by creating accounts and generating invoices for sending phishing emails. This should not come as a surprise, as just last month, PayPal notified over 35,000 customers about a security breach, which goes to show the popularity of PayPal among cyber criminals.
Email Content Analysis
The email informs the recipient about fraudulent activity on their account, and if they do not call the listed number, they will be charged a hefty amount, such as $699.99 or more.
It is worth noting that the emails sent in this campaign are not malicious; they are sent directly via PayPal and can pass several checks, such as DMARC, DKIM, and SPF. The problem is that these emails are sent from service@paypal.com, so they appear legitimate, and users fail to identify the trap.
The phishing invoice (Credit: Avanan)
Additionally, in a blog post, Jeremy Fuchs of Avanan stated that the scam works because of static email Allow Lists, which allow content to go directly into the inbox if it arrives from a reputable service like PayPal.
Why is PayPal being Targeted?
The reason PayPal is so easily targeted in this campaign is that the platform allows users to create accounts easily. Therefore, anyone can exploit the free service. Furthermore, threat actors can use PayPal’s tools to create professional-looking malicious invoices. This way, attackers can easily disguise themselves as employers or family members.
How Can You Detect Malicious Invoices?
This campaign is different from other attacks leveraging PayPal, as detecting or preventing the attack proved to be very difficult for email security services and users. It happened because the malicious invoices “comes directly from PayPal.”
However, according to Jeremy Fuchs, marketing content manager at Avanan, the email’s content is such that it can raise suspicion. For instance, the content has many grammar and spelling errors.
Moreover, the phone number listed in the email does not belong to PayPal. Fuchs suggests that users should call the phone numbers to find out whether the invoice is legitimate or not.
Here are some additional steps you can take to detect and protect yourself from PayPal phishing emails:
Google the content of the email before responding: It is always a good idea to Google the content and email address of the email that you suspect is a phishing one; it is quite possible that someone has already addressed the issue on discussion forums.
Look for spelling and grammar mistakes: Phishing emails often contain spelling and grammar mistakes. Be especially wary of emails that contain urgent requests or threats, as scammers often use these tactics to create a sense of urgency and panic.
Don’t click on any links: If an email asks you to click on a link to verify your account or update your information, don’t click on it. Instead, go directly to the PayPal website and log in to your account to see if there are any alerts or messages.
Never enter personal information: Never enter your personal or financial information in response to an email. PayPal will never ask you to provide sensitive information such as your password, Social Security number, or credit card details via email.
Use two-factor authentication: Enable two-factor authentication on your PayPal account to add an extra layer of security. This will require you to enter a code sent to your phone or another device in addition to your password when logging in to your account.
Report suspicious emails: If you receive a suspicious email, report it to PayPal immediately. Forward the email to phishing@paypal.com and then delete it from your inbox.
The Vivo X90 Pro is one of those phones that feature a 1-inch camera sensor. There are not many of them out there. That sensor, on its own, is great, but in this phone, it gets backing from both Vivo’s image processing, and ZEISS optics and expertise. The end results are… spoiler alert… outstanding. I had to open this intro with a camera-focused, there’s no other way to do it. The Vivo X90 Pro, of course, has a lot more going for it than just its camera setup, even though that is the highlight of this phone, and we’re here to review it to give you a better idea of what you’ll be dealing with, should you choose to buy it.
The Vivo X90 Pro is the company’s global flagship smartphone. An even more powerful Vivo X90 Pro+ also launched in China, but unfortunately not globally. The good news is, those two phones are very similar. The bad news is, the Snapdragon 8 Gen 2 is exclusive to the Vivo X90 Pro+, and so is the periscope telephoto camera. That aside, the same 1-inch camera is included in both phones, and the MediaTek Dimensity 9200 that fuels this phone is also excellent. So, let’s get started, there’s a lot of ground to cover.
Table of contents
Vivo X90 Pro Review: Hardware / Design
The first thing I thought to myself when I took this phone into my hand is… this is a larger variant of the Vivo X60 Pro+. It feels very similar to that phone, and that’s a good thing. It feels really good in the hand, unlike the Vivo X80 Pro which felt a lot larger (even though it barely was), and a bit more awkward to hold. The vegan leather backplate does help with the grip, which is always preferred when it comes to large phones, in my opinion. Vegan leather does become even a bit grippier after you use the phone for some time, without the case, of course.
Only one color is available outside of China
There is only one color this phone is available in, globally, the ‘Legendary Black’ color. That is essentially a dark gray model. The ‘Red’ color option is available in China only, at least for now. Its front and back sides are proportional, as both of them curve into the aluminum frame. Yes, the display is curved on the phone, and the bezels are quite minimal. There is also a centered display camera hole at the top. All the physical buttons sit on the right-hand side, and the device includes an in-display fingerprint scanner. More on that soon.
It has a large, circular camera island on the back
There is a huge circular camera module on the back, which hides three cameras. The main camera utilizes a 1-inch sensor from Sony, which we’ll talk more about in the camera section. ZEISS branding is visible on the back as well, as is Vivo’s. The company also decided to place a metallic line with an “Xtreme Imagination” caption under the camera module, to separate the top and bottom parts of the phone, in a way. The design does look much better in person, than it does in renders. This design won’t be everyone’s cup of tea, but the phone feels premium, sits well in the hand, and it’s less slippery than metal+glass slabs. I, personally, don’t have any complaints, as Vivo made the phone feel more compact than it is.
Accessories
The Vivo X90 Pro we received comes with an included silicone case. You may have seen some models come with a vegan leather case that comes with the same design as the back of the phone. I’m not sure if that’s reserved for the Vivo X90 Pro+ model in China only, or does it come with the Red Vivo X90 Pro model as well. It was not included in this packaging, however, that’s all I can say.
Vivo X90 Pro Review: Display
The Vivo X90 Pro features a gorgeous display, which is also large at the same time. It features a 6.78-inch 2800 x 1260 AMOLED display. This panel can project up to 1 billion colors, and has a 120Hz refresh rate (yes, it’s an LTPO panel). It supports HDR10+ content, and gets up to 1,300 nits of peak brightness. It has a 20:9 display aspect ratio, in case you were wondering, and the display is curved.
The display defaults to fullHD+ mode, and it’s really good
Now, the panel itself looks gorgeous. It’s plenty sharp, even in fullHD+ regular mode that the phone defaults to. You wouldn’t be able to tell the difference, to be quite honest. The colors are vivid, and the viewing angles are excellent too. You will be able to see some hazing on the sides because of the curves, though, when you look at the display straight on. The display is curved to that point, unfortunately. Also, we know that the Gorilla Glass protects the display, but we don’t know the exact iteration.
The scrolling is smooth, though the touch sampling rate could be higher
This panel is exceptionally adapted to this phone. The scrolling is buttery smooth, and the animations are also excellent. I did speed them up a bit, and they worked perfectly fine before and after that tweak. The touch response is also really good, but I wish Vivo went with at least a 480Hz touch sampling rate, and not 300Hz. The difference is noticeable if you’ve used higher touch sampling rate that’s for sure. If not, this will make no difference to you whatsoever. The only thing I wish for is higher brightness, to be quite honest. It’s perfectly fine and bright enough, until you get under direct sunlight. Oh, and yes, AOD (Always-On Display) mode is also available.
You can tweak this display to your liking, with ease
Vivo also gives you the ability to tweak the display to your liking. You can adjust the color temperature manually, or select one of the pre-loaded modes. If you prefer more vivid colors, that’s not a problem. If you’d like realism… the same thing, Vivo has you covered. The default setting is really good, though, so no worries if you’re not into making such changes.
Vivo X90 Pro Review: Performance
Alright, so… the specs. The Vivo X90 Pro is an immensely powerful smartphone, on paper. It doesn’t include the Snapdragon 8 Gen 2 SoC, as its ‘Plus’ sibling in China, but it comes with the MediaTek Dimensity 9200 SoC. That is MediaTek’s most powerful offering now, and it’s immensely powerful. It was my first phone with that chip, and quite frankly, I’m not really missing the Snapdragon 8 Gen 2 as far as performance is concerned. More on that soon.
You’re getting both LPDDR5X RAM & UFS 4.0 flash storage here
Vivo also stuffed 12GB of LPDDR5X RAM inside this phone, along with 256GB UFS 4.0 flash storage (that’s the only model available globally). In other words, the company didn’t really skimp out on RAM or storage. These are the latest modules available. Those two, in combination with the aforementioned SoC, keep this phone running smoothly at all times. It doesn’t really matter if you’re using it for multitasking, multimedia consumption, or gaming… it runs really smooth.
It can run even the most demanding games on Android
Even if you end up running the most intensive titles for Android, this phone won’t break a sweat. It’ll get warm at one point, but not hot, nor will that impact performance at all. Vivo thought about cooling here, and it did a great job in that regard. Truth be said, we can’t really say the Snapdragon 8 Gen 2 and MediaTek Dimensity 9200 apart in day-to-day performance. MediaTek’s chip does benchmark lower than the Snapdragon 8 Gen 2 SoC, but you won’t really feel the difference in day-to-day usage. This thing can even run Genshin Impact at the highest settings available, so… there you have it.
Vivo X90 Pro Review: Battery
Let’s get the spec details out of the way first, shall we. The Vivo X90 Pro comes with a 4,870mAh battery on the inside. It supports 120W wired charging, and a 120W charging brick is included in the retail box. The device also offers support for 50W wireless charging, though you’ll have to get a wireless charger separately, of course. On top of all that, reverse wired charging is also supported in case you need to charge up your earbuds on the go, or something like that.
The battery life is really good, but it could be even better
Having said that, what’s the battery life like? Well, it’s really good, though not outstanding like we’ve seen on some other flagship phones lately, as the Snapdragon 8 Gen 2 seems to have great power consumption control. I was able to get between 6-7 hours of screen-on-time during my usage, I even hit 7.5 once or twice. The first few days, I was closer to 5.5-6 hours because YouTube was draining power for some reason. Since I restricted its activity in the background, the battery life did improve, and I was getting around 6.5-7 hours of screen-on-time.
Do note that I’m not gaming on my phone, but I’m editing images, watching plenty of YouTube, taking tons of pictures, browsing, messaging, emailing… basically everything else you can imagine. Another thing to note is that I spend the vast majority of my day on WiFi, as do most of you, probably. Your mileage may vary, though, of course. Different usage habits, different apps, signal, and so on… all that affects battery life.
Even if you run out of battery ahead of time, you get immensely fast charging here
Now, even if you run out of battery ahead of time, don’t fret. Vivo’s 120W FlashCharge can get you from 0 to 50% in only 8 minutes. Getting a full charge takes less than half an hour. 50W charging is slower, but also plenty fast, if you opt for that option. It’s certainly much faster than the 15W charging that Samsung and Apple offer, it’s not even close.
Vivo X90 Pro Review: Camera
Spoiler alert… the Vivo X90 Pro is an outstanding camera smartphone. I’ve thoroughly enjoyed my time with it, and have taken some really nice pictures, some of which I’ll share below. There’s actually a lot to talk about here, but let’s get the technicalities out first. Unlike the China-exclusive Vivo X90 Pro+, this one does not have a periscope camera, unfortunately. It does have the exact same main camera, though, and it utilizes a 1-inch camera sensor from Sony. That’s the Sony IMX989 sensor, in case you’re keeping track. That is the largest camera sensor made for smartphones to date, and it has huge potential. It needs proper software in order to shine, and Vivo has certainly provided it here.
A truly excellent camera sensor is backed by ZEISS and great camera software
Vivo has a 50.3-megapixel main camera with an f/1.8 aperture and 1.6um pixel size. It has OIS support, and the same goes for Dual Pixel PDAF. Laser Autofocus is also here for faster focusing times. In addition to that, a 50-megapixel ultrawide camera is here as well. That unit has an f/2.0 aperture and a 108-degree FoV. This camera also supports auto-focusing. A rather capable 50-megapixel telephoto camera is also included on the back. It has an f/1.6 aperture, 0.7um pixel size, OIS support, and 2x optical zoom.
When it comes to pictures from the main camera, they’re great. They’re vibrant, filled with detail, and well-balanced. The phone handles highlights like a champ, even in the harshest HDR conditions. Considering the size of the sensor, you’re also getting that creamy bokeh effect which reminded me of DSLR cameras. I’ve never seen such a depth of field on other smartphone cameras, it really does bring a photo to life. Taking pictures of my pets with this sensor was a joy, even in low light. Some such samples are included below.
You can choose between Vivo’s default & ZEISS shooting modes
Now, do note that there are two shooting modes at your disposal here. You can shoot with Vivo’s default setting, or the ‘ZEISS’ mode. I much preferred ZEISS, as the colors were not oversaturated, and the images were closer to real life, but still quite vivid and lifelike. At times, Vivo’s mode came in handy, but I used ZEISS over 90% of the time after I realized what kind of pictures it takes. So, the vast majority of samples below are taken with the ZEISS setting, I’ll also include some comparisons below, so that you can see the difference. I used ZEISS in both regular and low light, as it made images look truly great.
You don’t even have to use a dedicated night mode, it’s not necessary
In low light, there’s really no need for you to use a separate night mode, which is available here. You can, if you want images to be even brighter, but the regular mode does the trick. This phone can take a photo in low light either instantly or in a couple of seconds, depending on the setting. The point is, it’s really fast in that regard, and the results are really good. It balances images really well. It pulls plenty of detail from the shadows, but not the level of overexposure. Thanks to ZEISS’ T* coating, the reflections are kept to a minimum as well. That has been the case with Vivo’s flagships for years, and I’m really glad it’s here. Vivo and ZEISS have been collaborating for a long time, and it shows.
It’s a shame it doesn’t have a periscope camera
I’d much prefer to see a periscope telephoto camera on this phone, in addition to this telephoto camera Vivo included, but… it is what it is. You can zoom in up to a certain level while retaining good details (depending on the scene), but don’t expect a crazy zoom level. Macro photography, on the other hand, is really good. You can see a couple of examples below. Even in a more challenging light indoors, during the night, it managed to do the job. The ring image below shows it best.
The video recording is also quite good
The video recording is also quite good. It’s not the best, as you can see the jelly effect in low light when panning, and there are a couple of other issues, but overall, the video recording is also good. This phone shines when it comes to still, though, it shines to the level that is hard to put into words. The Vivo X90 Pro is my favorite camera smartphone to date, as it takes full advantage of that 1-inch camera sensor to provide outstanding results. It does take some getting used to, but once you do… it’s a joy to use.
No ZEISS vs ZEISS samples:
Various camera samples (almost all in ZEISS mode):
Vivo X90 Pro Review: Software
Android 13 comes pre-installed on the Vivo X90 Pro, with the company’s Funtouch 13 UI on it. Funtouch is different than stock Android, but it has a lot of stock elements in it. It feels like your genuine Android experience, and it’s miles better than the version from years ago were. That being said, I did not really notice any major issues with the software. It worked really well, and was quite fluid too. Even the notification center and quick toggles do resemble stock Android, which is always a good thing. That goes for both looks and functionality. You’re even getting that media widget in the notification center, with the squiggly animation.
Funtouch UI has some useful gestures to offer
You can choose whether you want all your installed apps to be on home screens, or if you want a more regular Android experience with an app drawer. The settings screen looks similar to Samsung’s. The overall look is really nice, and as I said, this UI works really well. You do get some extra functionality here too. You can use gestures, for example, you can swipe with three fingers up or down to activate certain actions, such as taking a screenshot, activating a split screen, and so on. I’ve been using this quite a lot, as I did on previous Vivo phones.
This UI does give you the option to lock apps in multitasking, in case a specific app ends up being killed off, and you don’t want that. The RAM management is generally really good, and if you ever have issues with a specific app working in the background, you can always lock it. I had to do that with an app for my smartwatch, for example. I did it from the get-go, and had no issues after that.
There were a couple of smaller issues, but the software overall is really great
I did have a couple of instances when a notification didn’t arrive the second it was supposed to, but that happened only twice. Everything else was basically instant, so I presume that everything will be polished out soon. I have this version of UI on the Vivo X60 Pro+ as well, and it works like a charm. I really don’t have any major complaints about the UI, and I’m pretty sure most of you will be happy with the software included in the Vivo X90 Pro.
Vivo X90 Pro Review: Should you buy it?
The Vivo X90 Pro is one of the best camera smartphones in the market at the moment. Vivo managed to combine arguably the best camera sensor (for smartphones) currently available with excellent software, and ZEISS optics to provide a truly outstanding experience. The Vivo X80 Pro had its issues with consistency, but the Vivo X90 Pro does not show such problems. I do wish Vivo released the Vivo X90 Pro+ globally, as the Snapdragon 8 Gen 2 would offer better battery life, and the periscope camera would be useful. Even without those additions, however, the Vivo X90 Pro is an outstanding offering. Its price tag will play a huge part for most of you, and unfortunately, at the moment, we still don’t know its price tag outside of China. One thing is for sure, though, this phone excels in many ways, and doesn’t really have a lot of downsides. So, if the camera performance is important to you, this is a phone you should consider, definitely.
You should buy the Vivo X90 Pro if:
You appreciate smartphone photography, and want a truly great camera performance
You like vegan leather backplates that are less slippery than glass
You don’t mind a considerable curve on the display
You appreciate and need truly fast wired & wireless charging
You want the piece of mind IP68 certification offers
You don’t want to buy a charger separately
You’re tired of bad in-display fingerprint scanners
SAS Airlines was been hit by a cyber attack. The airline has confirmed that its websites and apps were impacted by the attack – Read on for the latest updates on the cyber attack and how it may have affected SAS customers.
The Scandinavian airline SAS was hit by a crippling cyber attack, after which its website and app went offline. It is suspected that the incident may have leaked the airline’s customer data from the app briefly. The incident occurred on Tuesday 14th February evening.
Reuters reported that the airline urged customers to refrain from using its mobile app, as they might receive incorrect information. Reportedly, some users, including customers from Norway, logged into the wrong accounts and accessed data or other customers. The company’s website remained offline for some time.
SAS’s head of press, Karin Nyman, stated that the issue had been fixed now. The airline didn’t provide details of the incident; however, users have posted resentful comments on its Twitter account in response to the company’s Valentine’s Day message.
The airline asked its Twitter followers if they dreamed of a trip to the “world’s most romantic city this Valentine’s Day?” to which one user replied:
“Well, I’m just dreaming of being able to actually book flights on your website or in the app at the moment,” and shared a screenshot of the downed website.
Some users posted about a technical glitch in the airline website that prevented them from buying tickets; it is not yet clear whether these complaints were resolved or not.
It is worth noting that several Scandinavian media outlets were hit by hackers on the same day that SAS was attacked. This includes SVT, a popular Swedish television channel that became a victim of a DDoS attack by a group named “Anonymous Sudan”.
The hackers stated that the cyber attack was a response to the recent Quran-burning incident near the Turkish embassy in Stockholm.
Popunders are the ideal vehicle to serve ad fraud. In this case, we investigate a scheme where a webpage you can’t see is loading a bunch of ads while code mimics user activity by scrolling and visiting links.
WordPress is an immensely popular content management system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues.
But some people will take a shortcut to gaining traffic by engaging in legal but sometimes fraudulent practices. In this instance, we identified someone buying popunder traffic to promote their websites. A popunder is a very common occurrence online and consists of launching a secondary page under the current one. In itself, it could be considered simply an annoyance and is not malicious except when the website that is being launched uses various techniques to defraud advertisers.
We discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate.
In this post, we share the technical details behind this ad fraud scheme and any clues pointing to the developer of this WordPress plugin.
Key findings
About 50 WordPress blogs have been backdoored with a plugin called fuser-master
One of the blogs performing this ad fraud had 3.8 M visits in January, with an average visit duration of 24:55 minutes and 17.50 pages per visit
This plugin is being triggered via popunder traffic from a large ad network
The WordPress sites are being loaded in a separate page underneath and display a number of ads
The plugin contains JavaScript code that mimics the activity of a real visitor: scrolls the page, clicks on links, etc.
The code also monitors for real human activity (mouse movement) and will immediately stop the fake scrolling when that happens
Figure 1: Diagram summarizing ad fraud case
Fuser-master WordPress plugin
Recently we blogged about ad fraud involving a popunder as well, except in that case it was using an iframe to hide the ads. Here, there is nothing hidden at all and the ad fraud can only be deduced when the page is being scrolled down, and back up at random intervals. Because it is a popunder, anyone becomes an unwitting accomplice and does not see any of the fraudulent behavior.
In this investigation, we won’t be spending time on the ad network facilitating these popunders but we have a fairly good idea of which one it might be based on anti-debugging code that they used. What makes popunders particularly enticing for ad fraud is the fact they allow content to be loaded and remain until further action. Unlike the main browser window where a user can easily navigate away from the current website they are visiting, the popunder will remain open for several minutes or even hours, until it is closed.
We were able to trigger the popunder several times and noticed that the fraudsters were using several different blogs that all had the same thing in common, namely they used a plugin called ‘fuser-master’. There aren’t many references for this plugin such as where to download it or who its author might be. We were only able to find one mention from themesinfo.com which is a WordPress theme detector.
Figure 2: A list of websites using the fuser-master plugin
Not all the sites listed in the gallery still exist or are fully functional, but that still gave us a good indication of what was being used to turn standard blogs into ad fraud robots. It’s worth mentioning again that when visited at their homepage, all these blogs are static in nature, meaning we don’t see this kind of zombie activity where the page is scrolling by itself. In the next section, we will look at the URL entry point that triggers that specific behavior.
User check and redirect
All of these blogs appear typical when visited directly, so they would likely pass both a manual and human verification. However, when a special URL (the entry point) is entered with the corresponding parameters, they turn into ad fraud. Below you can see the URL path and its parameters that are being used on all the blogs where that plugin has been installed:
/wp-content/plugins/fuser-master/entrypoint.php?
First, the current user is checked to determine if they should be allowed to enter into the ad fraud scheme or not:
Figure 3: Pre-check for cookies
The fraudsters are using open redirects from Google and Twitter in an interesting way. A keyword from an array corresponding to related Google search terms is picked and added to a Google search URL:
Figure 4: SEO trick
That keyword is chosen randomly and makes up the dynamic redirect URL:
Figure 5: Keyword used in redirect
The next web request is the actual redirect code which also drops some cookies. The URL and code for the redirect will vary based on the different options set up previously:
Figure 6: Google open redirect
Figure 7: Twitter open redirect
The popunder will effectively load the blog via the entrypoint, then immediately leave it to re-enter via a Google open redirect as if someone had clicked on one of the search results. This is what it looks like:
Figure 8: Animation showing open redirect mechanism
Faking user activity
As mentioned previously, the blogs will only exhibit their ad fraud nature when visited via the fuser-master plugin’s entry point. We know that this happens when a user was browsing the web, clicked on a page and a popunder was launched. The blog will open up in a new window behind the current window, which means the user is completely unaware of what is happening.
It becomes quickly obvious that there is something odd when the popunder is exposed. We notice some scrolling back and forth and somewhat randomly which truly mimics what a human would do when reading an article. When looking at the code we can see that it checks for user activity (more on that later) and only performs this scrolling activity if it has not detected real mouse movements on the page:
Figure 9: Code for automated scrolling
Had the popunder been the same blog without this fake scrolling there would be no reason to suspect mischief. Of course the fraudsters aren’t interested in a static page without any kind of user interaction as their goal is monetization via ads. This invalid traffic needs to look as valid as possible in order to not get flagged by anti ad fraud solutions:
Figure 10: Animation showing automated scrolling
Another interesting aspect of this fraud is how at regular intervals, a new article is being viewed. This makes sense in the context of a standard visitor to a blog continuing on the site by following other articles that they might be interested in reading. Looking at the fuser-master’s code, we see that it tries to get all internal URLs from the currently loaded page and places these links into an array. If we observe what’s happening, see that after a certain number of scrolling up and down, a different article gets loaded and the scrolling resumes. This fake activity could last from minutes to hours, until it is interrupted by the real human who’s currently at their computer.
Freeze game
At some point, the real user will close their browser or the page that was in front of the popunder. When that happens, all fake activity suddenly stops and the blog becomes static. This is a clever trick to avoid suspicion and reminds us of the ‘freeze’ game kids play. The fraudsters are able to detect when the mouse is being placed over the current page and can quickly stop the code from running.
Figure 11: Monitoring for real user activity
Figure 12: Stopping fake activity after real user is detected
Same web developer built those blogs
Looking through the Internet Archive, we identified an Indian web developer behind several of these sites. Some of the older posts were written by him and the layout such as the scroll bar style and test ads are also identical. There is nothing that definitely proves that this web developer created the ad fraud plugin although he had the technical skills to do so and based on his community WordPress identity was involved in a number of posts about various SEO plugins.
Figure 13: Demo blog using a similar template reused elsewhere
In addition, his own business website also features those blogs in his portfolio and while hovering over the thumbnails we can’t help but notice a scrolling technique very similar to what we saw previously with the ad fraud.
Figure 14: Portfolio showcasing some of the blogs
We contacted one of his supposed customers to let them know about the fuser-mater plugin running on their site. While we did not hear back from them, within about an hour the plugin had been removed from their WordPress installation.
Figure 15: Fuser-master plugin was deleted shortly after our notification
If the web developer wanted to earn from this ad fraud scheme, he would need to have his own publisher IDs and overwrite the ones used by his customers, however we could not immediately verify that this was the case. It’s also possible that the plugin is sold as an “add-on” and that some of his customers are fully aware of it, but we could not prove that either.
Contrary to the previous ad fraud case we looked at, this one does not simply use Google ads. Instead they are going through a number of ad platforms which makes their publisher ID and potential revenue more difficult to figure out. We do know that one of the websites featured in this investigation (momplaybook[.]com) had 3.8 million visitors in January, spending an average of 24 minutes and looking at 17 pages on the site (stats by SimilarWeb).
Figure 16: Malwarebytes Browser Guard
Visiting that same website, Malwarebytes Browser Guard blocked over a thousand ad trackers after a few minutes of sitting idle on the main page. The majority of requests came from Google’s DoubleClick and OpenX which we have informed.
Conclusion
While popunders are a legitimate form of advertising, their very format is susceptible to abuse. For ad fraud in particular, popunders allow websites to be loaded and serve ads that will never be viewed by real humans.
The plugin we identified during this investigation is relatively simple and allows anyone with an ordinary WordPress blog to increase their earnings dramatically. Because regular visitors will come to the blog via a different flow (standard search or referral link), none of the fraudulent behaviors will be shown. All that is needed is to purchase ad space via a large popunder distributor and use the special entry point URL that triggers the fuser-master plugin.
We have shared details about this invalid traffic case with other partners in the industry.
Samsung’s Galaxy A series of phones have been really popular among those looking to save. Also, we can’t rule out Galaxy S users hopping down to the Galaxy A line in the face of the fumbling economy. Well, the Galaxy A23 5G is now being offered at Verizon.
There are two purchasing options that you can choose from. Firstly, you can buy the phone outright for the price of $349.99. However, if you can swing an extra $9.72/month, you can get it on a contract. Just know that this is a 36-month plan. The company may do a credit check, and if it’s not the best, you might have to pay a down payment.
The Galaxy S23 5G is at Verizon, what does it have to offer?
So, since this is a phone that’s meant for budget-conscious folks, you can expect the specs to be rather subdued. This phone is rocking a decently large 6.6-inch LCD display with a 1080 x 2400 resolution. What’s notable about it is the fact that it runs at 120Hz.
Moving onto the internals, the Galaxy A23 5G uses the Snapdragon 695 5G SoC, so you can expect pretty middle-of-the-road performance, but it shouldn’t be bad. This phone has 4GB of LPDDR4X RAM and 64GB of storage. You can expand it up to 1TB with a microSD card.
As for the camera, we’re looking at a quad-camera package. The main camera is a 50MP camera, and it’s accompanied by a 5MP ultrawide, 2MP macro, and 2MP depth camera. At the front, there’s an 8MP selfie camera.
Keeping the lights on, we have a 5000mAh battery. That will keep it powered for a while on a single charge. Speaking of charging, the Galaxy A23 5G supports 25W fast charging.
On the software side, this phone is launching with Android 13 running on One UI 5 out of the box. This means that you’ll have a pretty up-to-date software experience. All in all, the Galaxy A23 5G is a decent phone, and if you’re a Verizon customer, you can pick it up.
Figure 6: Google open redirect 
Figure 7: Twitter open redirect
