Monday, 15 April 2013

newvistalive.com is SPAM! Say no to ICM re email surveys.

Update (19th April 2013) - I'm still getting spam despite being assured that it will stop - read more.
Update (16th April 2013) - I have received a response to the email I sent below - read my next post for more.

Like many people in the UK, I've been called by ICM and completed one or two of their telephone polls (often conducted for organisations such as the BBC, the Guardian and many other media organisations).

Following one of these completed polls, I was asked if I would like to receive polls by email, too, from 'one of our partners' - with the potential to earn some money.  Assuming that I would be able to 'suck it and see', and unsubscribe if I got bored of receiving these emails, I said yes.

It was definitely one of the stupidest mistakes I've ever made.  The surveys come from newvistalive.com (http://www.newvistalive.com) who proudly report on their website how much money their members have earned today.  I've no doubt that some people are completing their surveys and 'earning' money - but I seriously doubt it's as much as they say (close to £3mill today, apparently).  But anyway I digress - that lack of trust on my part is most probably due to the experience I've had with this company.

Despite numerous attempts at unsubscribing, including sending direct emails informing them that I would be taking the matter further (to the Information Commissioner's Office by the way, if you need to report spam), I am still receiving these surveys.  It wasn't spam to start with - as I'd said yes - but now that I have unsubscribed it most definitely IS spam, and the fact that the company involved is supposedly one of the most respected polling organisations in the world is even worse.

After a bit of research, I discovered that newvistalive.com is run by newvista Research.  Trying to find a postal address or head office for this company is nigh-on possible, with the only means of contacting them being an email address on their website.  That's just fucking shoddy - not to mention deeply dubious.

A deeper search on Google yields a page on the website for a company called Creston, which mentions the word 'newvista' a couple of times, and I satisfied myself that there is a direct relationship here between the two.  Surprise surprise, this same company also lists two divisions of ICM in a list on their website.  Some more clicking led me to the 'Insight' division of Creston, which explicitly states that newvista Research is one of its companies.

So my next step?  To email Keith Bates - apparently the head of Creston Insight - with a particularly snotty email about this inability to unsubscribe from newvistalive.com.  The text of this email follows in grey:

Hi

My name is Andras Zoltan. I am on the list of contacts for ICM research following some telephone polling that I have done in the past. Following one phone-call, I was asked if I’d be interested in receiving polls by email, with the potential to earn money.

A day later I received my first email from newvistalive.com. I understand that this website is part of newvista Research which, in turn, is part of Creston Insight. Since you are the head of Creston Insight I am emailing you. This is my work email address – the email address that is ‘registered’ in newvistalive.com is [omitted]. I am happy for you to email me at that address to confirm that I am who I say I am.

After a few weeks of receiving such emails, and ignoring them, I decided it was time to unsubscribe. So I did this, discovering first that the ‘click here’ link that is seemingly helpfully appended to the end of all emails doesn’t actually do anything except take you to the homepage for the website – this is bad. Had I been a less-internet-savvy person I would have assumed that the unsubscribe was complete at this stage.

So I read the FAQ, which informs you that, to unsubscribe, you have to login. However, I’ve never received any login details for the website – so I was curious as to exactly how I would do this. This is also very bad. Many normal people would have given up at this point.

So I went to the ‘forgotten password’ page and entered my email address. Expecting to receive a ‘reset password’ link, I was absolutely astonished to receive an email soon after containing my password.  I hope I don't need to explain to you that having users' passwords stored either in clear text or in any easily reversible encryption form within your assumedly massive database leaves you absolutely wide open to hacking attacks.

If I were a shady Eastern European (or indeed any other stereotyped geographically regional) organisation looking for lists of email addresses and passwords I would be making a bee-line to your website right about now and trying every penetration attack known to man to try and gain access to what could be a goldmine (my assumption being that if your developers are so blasé about security as to do this, then I'm sure your website is probably vulnerable to something like a SQL injection attack or similar).  I am a software developer so I know exactly the kind of thing of which I speak.  I'm sure you have people you can ask that can verify what I say.

For those people who are getting paid by your website, who are the people most likely to have registered a 'real' password instead of the default that is setup for new accounts, you are guilty of the most heinous crime of security irresponsibility and all your customers need to know this - if nothing else so that you enact a change within this company.

Not only that, however, but can you wholeheartedly trust everyone that works for your company?  I'm sure more than one person has at least read-only access to your live database.  If, as is most likely, your users' passwords are stored in the clear, then you're providing one hell of a temptation for someone looking to make some ugly cash on the side by selling a few database records…

Anyway - I proceeded to login and click the unsubscribe link as directed by the aforementioned FAQ.  There's some flannel on that page about some surveys still being sent because 'there may be some surveys still holding in our system for surveys that are already running at the time you have unsubscribed, if you do receive an invite for these please ignore it.'  What utter codswallop - it's just a cover-story for the fact that your unsubscribe process doesn't actually do anything does it!?

…Because, within a couple of days I was still receiving surveys from your bloody website, and a month later in fact.  I then sent an email about 3 weeks ago directly back to your helpful 'contact us' email address, explaining that if I was not removed from the the system completely then I would be taking the matter further.  3 weeks later have these emails stopped? Well, clearly that's rhetorical given that I'm now emailing you, but even so.

So here we are.  I am not under the illusion that this email will be going to your directly, but I sincerely hope that it does reach you soon and that I am removed from this sham organisation's database within 48 hours.  If not, I will be contacting the Information Commissioner's Office and reporting the website as sending spam (since I have repeatedly asked to unsubscribe and have been ignored, it now becomes something they will deal with).  That won't be all I do, but it's a good start I'm sure you'll agree.

I have also posted this email, with context, on my own personal blog at http://lordzoltan.blogspot.com.  I don't have a massive readership (in fact my regular reader count probably stands at a fat zero), but I reckon there's enough links in the content, and with 'newvistalive', 'ICM' and 'spam' being mentioned in the title, that it might slowly creep up the search engine rankings enough to show up in search results for the inevitable thousands of other people that have been/are/will be frustrated by the activities of your organisation.

I look forward to hearing from you in due course,

Andras Zoltan

So there we have it - I have absolutely no faith whatsoever that this will change anything.  But you never know, it just might.  Judging by the situation thus far, however, my guess is that this 'Keith Bates' isn't even real.

By the way, for the non-technical among you, the whole security issue I mention in the email is a really big concern and one that you should definitely be worried about if you have registered on this website with a legitimate password.  Any website that is able to send you your password has got their security massively fucked up and absolutely cannot be trusted with your data.  The issue is not that someone could see your password in your email, it's that anybody who can gain access to their database can see your password.  And believe me, that's not only hackers, but probably any developer that works for them, or has been employed by them - directly or indirectly.  If they use outsourcing for their development then the risk is much higher, too, as someone working for a company temporarily will have much less chance of getting found out if they steal a bit of information here or there.

No comments:

Post a Comment