Residents’ personal details may be at risk from compromised IT systems at a market research business working in our area
In posts to multiple Facebook community groups, with memberships totalling more than 50,000 users, a market research focus group recruiter has been publicising a questionnaire this week, to recruit Hillingdon residents from the wards of Colham and Cowley, Hillingdon East, Uxbridge, West Drayton, Charville, Hillingdon West, and Yiewsly (sic – that’s their spelling).
Offering £60 for residents to attend a focus group, paid for by, as they said, “the end client who… is likely to be one of the main political parties“, the focus groups are to be held this week for 90 minutes each.
This itself may be unexceptional, but the market research company running the focus groups, We See Through (WST Research Limited) has had its website compromised. With little care or security on their website, it remains to be seen how carefully they would treat residents’ personal details. It is not clear how data is handled once it has been submitted through the Google Workspace form linked from the Facebook posts.
Concerns about residents’ personal data
While the initial questionnaire is hosted on Google Forms (which is secure), the data is eventually downloaded by the agency. If their public-facing website is infected with malware, there is a high probability their internal office computers are also compromised, putting any resident data they download at immediate risk.
One Facebook user said “I did start filling out the questionnaire BUT a lot of local political questions then straight on about national politics and reform just reform. Sounds like a set up …no one will do the interview and you get us to fill out the questionnaire which is all the information you want in the first place.”
The recruiter responded to say “we are an independent market research agency. If you do the research it will be professionally managed to reflect your views. We have 20 places available” but we have concerns about the market research agency, given that their website has been compromised by a botnet utilising Russian-origin tracking software (Yandex Metrica) to harvest visitor data.
Visitors to agency’s website are redirected variously to adult dating websites, pornographic video websites, affiliate marketing websites, online bookmakers, and websites selling beauty products through affiliate marketing schemes.
We strongly recommend that residents do not give any personal details to this agency, and that anyone who takes part in the focus groups exercises extreme caution.
One of the original posts, advertising the focus groups:
We recorded a video of the compromised (hijacked, or “hacked”) website redirecting to several of the different targets, and uploaded some to YouTube – but their content was so lewd that our YouTube channel was warned for posting explicit content!
You can see one of the ‘cleaner’ websites in the video below, and watch the simple steps on how to see the exploit: we simply tapped on the Facebook post’s link to the Google Form, and in the form the We See Through agency’s website address is shown: tapping on that opens our phone’s web browser, where the WST website is shown for a few seconds… before the compromised code takes over, and redirects us to one of the pool of what seems to be about a dozen different websites:
Irresponsible lax security practice
Our technical analysis of the WST website suggests it has been abandoned by its administrators since 2016. The site is running software that is 10 years out of date, and the copyright footer still reads ‘2016’. This decade of neglect is likely a contributing factor to what allowed the malicious actors to inject the malicious code.
Looking at the website’s source code confirms it has been infected with at least a ‘conditional redirect’ script. The hackers have injected a command (hidden inside a fake ‘jQuery’ file) that waits exactly five seconds before forcing your browser to navigate to a Russian-linked traffic distribution system, and that all visits are tracked by a ‘Yandex’ tracker – meaning that a Russian tracking system has collected the IP addresses of visitors to the We See Through marketing agency’s website.
Furthermore, the site is structurally abandoned. It is running a version of WordPress from 2016. This level of digital negligence suggests that WST Research Ltd has effectively lost control of their own IT infrastructure.
Funded by a political party acting in Hillingdon
As the Facebook post advertising the focus groups does not reveal which political party is funding this research, we do not know who is paying for the data collection, and naturally, with insecure IT systems at We See Through – at least on their public-facing website, we do not know who else may have access to residents’ details.
We aim to find out, and report back – so will update this page after contacting We See Through, and each of the main political parties who may be operating in Hillingdon.
The local elections will be held on 7th May, where all 53 councillor seats are up for election, and control of our Council is at stake. The Conservatives lead Hillingdon Council at the moment, having 31 of 53 Councillors, but we understand that both Labour and Reform UK will be contesting every ward in the hope that they can win control.
Update: 09:00 Tuesday 10 February
We note that the We See Through website has disappeared overnight: this is a good sign, that the website is being worked on.
Update: 14:00 Tuesday 10 February
We heard back from our enquiry to Hillingdon Labour:
To be absolutely clear, Hillingdon Labour has not instructed We See Through to conduct any focus group work, nor have we had any contact with them.
As such, Hillingdon Labour is not involved in, nor responsible for, any activities undertaken by that organisation, including the processing or handling of residents’ data.
We would also encourage residents not to give any personal information to this agency.
Update: 15:00 Wednesday 11 February
We have now also heard back from our enquiry to Reform UK Hillingdon:
At no time has Hillingdon Reform UK instructed We See Through to conduct any focus group work.
The We See Through website remains offline.