Saturday, September 16, 2017

How an LG technician broke my phone

tl;dr
  1. I sent my Nexus 5X to LG technical support as it wasn’t connecting to cellular network.
  2. LG asked $387 to “fix” it. At the same time the phone is sold for $260+tax at Walmart.
  3. I rejected the fix, and LG returned my phone:
    • With the camera infrared sensor broken,
    • With the camera lens dirty with dust particles inside,
    • With a hit on the Fingerprint sensor.

I usually don’t write complains’ posts as I much prefer to handle the situation myself. Yet, this time I cannot help but to share my awful experience with LG official technical support and their customer service, as their behaviour has been truly unprofessional.

Here’s what happened.

Try one
My Nexus 5X wasn’t getting cellular signal. I called the LG Customer Service and they gave me a free shipping label to send the phone to their repair center.

After inspecting the phone they asked for a payment of $158 for the repair (budget below). Even though I could have bought a new phone for the price of $260+tax, I decided to go ahead and have it repaired.
When filling the credit card information in the form they sent me I made a mistake and I filled the card info wrong. Instead of calling me to to rectify the mistake LG shipped the unrepaired phone back to me.

One week later when I received the phone and opened the package, I found that the device had a hit in the fingerprint sensor, which wasn’t there before.

How much it costs to buy a new phone at the time of this incident


Try two
I called LG and explained what happened. They apologized for shipping it back right away without contacting me first, and told me that as the original mistake was made by my part I would have had to pay for shipping the phone back to them. I did as requested.

The LG technical support received the phone and two days later returned it to me. I received an email explaining that my  repair request was rejected because the phone had run out of  warranty. But this was not new, it was already clear that the phone was out of warranty the first time I sent it.

Try three
Once again I called LG again and explained what happened. The LG representative apologized for the misunderstanding and provided me with a free shipping label to send the phone back for the third time.

The technician of LG received the phone, and some days later LG sent me a budget for the repair, which is this one:



The cost of fixing it jumped from $158 to $387. This was much more expensive than buying a brand new phone (prices of buying a new Nexus 5X at the time of the budget repair can be find above). I called LG to ask why this huge bump in the price of fixing it. They said that the phone was tempered, it was opened by an unofficial technician and that it had inside fake components. Out of my best intention and honesty, this is not true. I explained it to the customer service representative but they wouldn’t believe me.

I rejected the repair request and LG proceeded to send me back the phone. When I got the package I found the phone like this:


The Infrared sensor is broken. When you open the camera app the phone can’t do focus.




This is how the camera works, and the overall state of the phone https://youtu.be/7qWPWmyvcn4

The camera lens has some dust particles inside. When you open the camera app you see several marks like this:

Try four
I called LG and explain all of this from the beginning, putting emphasis on how the LG technician returned my phone more broken than how I actually send it:
Original problem: no cellular network.
Problems nowadays: no signal, camera useless, hit on the back.
I checked the phone carefully every time I received it, and the problems arose after the third time I sent it.

I definitely doubt that my phone was tempered or included fake components. All my life I used official technical support for each product’s brand to avoid headaches. Third party technicians are cheaper in the short run, but expensive in the long run. That’s why I never go to third third party technicians, ever.

The only possible explanation is that the fake/broken components were introduced by the LG technicians themselves.

Final response from the LG representative
They recommended me to take the phone to a small third party phone technical.
They said they will send a feedback request to the technician that handled my phone.
They said they won’t fix my phone or do anything about the broken state in which they returned it.


I will never buy a product from LG again. LG showed their word to be worthless mainly because of two points:
  • From one repair request to the other, they said the phone was a fake.
  • They broke and returned a phone, just like that. And they didn’t care.


Sunday, August 27, 2017

Instagram huésped y víctima de ataque cibernético

Lea este artículo en Inglés / Read in English here.

Ayer estaba mirando las "historias" de mis amigos en Instagram cuando encontré una publicidad interesante de Adidas. Decidí seguir el link para ver las ofertas.


El navegador de internet de Instagram me llevó a una fabulosa página web de Adidas que mostraba hasta 80% de descuento. Después de mirar un rato, encontré varios productos que me gustaban, además era una muy buena promo!

Decidí comprar un par de cosas, entonces desde mi laptop entré al website oficial de Adidas (buscandolo en Google). Para mi sorpresa no había ninguna promoción. Volví a mi teléfono y abrí la página en Chrome en vez de en Instagram. Chrome inmediatamente me mostró un anuncio de alerta diciendo que estaba entrando en una página web dudosa, y que posiblemente sea víctima de un engaño.



Esto me dejó perplejo. Dejando a mi ego de lado, como el ingeniero en sistemas que soy, me encontré muchas veces con intentos de ataques de "scams/phishing". Pero esta vez me tomó por sorpresa y con la guardia baja.

Hubo un par de indicios que levantaron sospechas, pero no les presté atención. Por eso, mi objetivo en este artículo es compartir estos indicios con la esperanza de que otros aprendan acerca de sofisticados intentos de estafa. ¿Por qué sofisticados? Los criminales detrás del ataque utilizaron Instagram para llevar a cabo una campaña falsa de publicidad. Lo que es aún peor, Instagram no le prestó atención al engaño. Instagram dio de alta la campaña de publicidad sin verificar que un "Juan Pérez" estaba usando la imagen de Adidas redirigiendo usuarios a una página web trucha.

1er indicio: El 'dominio' de la página web
Usualmente las grandes marcas son dueñas de su propio nombre en la Internet, por ejemplo, Adidas seguramente tiene como página oficial www.adidas.com o similar. Ahora bien, si miramos el dominio de la página a la que Instagram me redirigió notaremos que tiene una parte "-yeezyboost".
Nota: el dominio de una página web es lo que comienza con 'www.' y termina con '.com'.


Si alguna vez uno nota una empresa usando un dominio que se ve raro o que no es similar al nombre de la marca, entonces es un indicio de mala señal.

2do indicio: Prestar atención al detalle
Usualmente los atacantes no invierten tanto tiempo en crear una página web que funciona en su totalidad. A veces a las páginas truchas les faltan acabados o retoques finales, o incluso los atacantes cometen errores de branding. En las siguientes capturas de pantalla se destacan problemas con los textos flotantes, están desalineados, mal ubicados. Intuitivamente se "ven mal".



Además, preste atención a errores de gramática u ortografía, tal como se ven en la imagen a continuación. Una marca profesional como Adidas nunca cometería errores de este tipo -- le darían mala imagen a la marca al publicar contenido erróneo.
'We' debería empezar con letra mayúscula en ambas apariciones.

3er indicio: sea un poco escéptico
Si es demasiado bueno par ser verdad, quizás no sea verdad en lo absoluto!

Protección adicional
Cualquiera puede estar despistado, accidentalmente pasar por alto los indicios y tratar de interactuar con el website estafador. Esto provocaría que los atacantes obtengan nuestra información de tarjeta de crédito, información personal, o que puedan infectar nuestra computadora. Afortunadamente hay otras maneras de estar protegidos, incluso para los usuarios despistados (en los cuales me incluyo).

¡Use un navegador confiable! Chrome y Firefox inmediatamente me avisaron sobre la estafa. Pero Safari no lo hizo. Safari me permitió navegar la página web del estafador, crear una cuenta y agregar productos, y me hubiera permitido seguir hasta el final realizando una compra ¡Y cayendo en el engaño!

Firefox mostrando la alerta de estafa.

Nota: para dar un poco de crédito, hacia el final del día (6 horas más tarde) volví a probar navegar la página web maliciosa usando Safari, y esta vez Safari mostró una alerta de engaño.


Dato curioso: adicionalmente, y para mi sorpresa, traté de compartir la dirección de la página enviandome un email a mí mismo (usando mi cuenta de Gmail). Esto fue lo que ocurrió:


¡Manténganse atentos! Ante la duda corroborar con alguien que sepa! Un humano? Si, o tambien le podes preguntar a Google en esta cómoda herramienta: https://transparencyreport.google.com/safe-browsing/search

Instagram hosting & victim of a phishing attack

Read this article in Spanish / Lea en Español aqui.

Yesterday I was browsing my friend's stories in Instagram and I saw an interesting ad from Adidas. I decided to follow the link.


The in-app Instagram web browser took me to a fabulous Adidas webpage showing an amazing 80% off in lots of products. I found several products I'd like to buy, because it was an amazing deal!

Decided to start shopping, I went to my computer and entered the Adidas website (searching it in Google). For my surprise there was no promotion at all. Back on my phone I opened the url in Chrome instead on Instagram. Chrome showed a red warning sign saying I was entering a dubious website and that I was likely going to be victim of scam.



I was thrilled to see this. Leaving egos aside, and as a software engineer, I found myself several times realizing of cheap scams/phishing attacks. But this one took me by surprise.

There were some hints that arose distrust on myself, but I didn't paid attention. My goal in this blog post is share this hints in the hope that others will learn about this sophisticated scams. Why sophisticated? Well, the criminals behind this phishing attack were hosting an actual ad campaign in Instagram. What's worst, Instagram didn't paid attention about the fake Adidas ad and posted it without verifying that the brand was used to redirect users to a fraudulent website.

Hint no 1: Check the web domain
Usually big brands own their own name in the web. So, Adidas is expected to have an official store like www.adidas.com. Now, check below the domain of the screenshot I took from my phone (the domain is the 'words' that start with 'www.' and end with '.com'). See that the domain contains a "-yeezyboost" at the end.


If you ever notice the website of a big brand using a dubious web domain, then that's a bad sign.

Hint no 2: Pay attention to the detail
Usually attackers don't invest much time on preparing a full working fake website, or sometimes make mistakes on the finishing of the website. In the following screenshots you will see that the floating text scapes the top bar, that is not well located and it just feels bad looking.



Also check for grammar or spelling mistakes, such as in the following example. This is something a professional brand like Adidas will never do -- show a bad image by publishing content unprofessionally.
'We' should have been capitalized both times



Hint no 3: be a bit skeptical
If it is too good to be true, maybe it is not true at all!

Extra protection
Well, anyone can overlook this hints and still try to interact with the malicious website, and the bad guys may be able to get something from us (credit card info, personal info, infect our computers). But fortunately there are other ways to protect ourselves, even for the careless and negligent users.

Use a safe web browser! Chrome and Firefox immediately warned me about the phishing attack. But Safari didn't. Safari allowed me to browse the website, create an account, even populate the shopping cart and go all the way.

Firefox alerting about the malicious website.

Note: to give some credit back, by the end of day (~6 hours later) I checked again and Safari is showing a warning stating the website is malicious.


Additionally, and for my surprise, I shared with myself the dubious URL via email, sending an email to myself (within my Gmail account). This is what happened:


Stay safe, and when in doubt check with someone else! A person? Yes, well you can also ask Google in this convenient tool: https://transparencyreport.google.com/safe-browsing/search