Paid-to-click Surveys: Your Opinions Don't Matter to Cyber Attackers

Posted by UpGuard

Paid-to-click Surveys: Your Opinions Don't Matter to Cyber Attackers

Does filling out an online survey in exchange for a few bucks sound too good be true? For ClixSense users, this is turning out to be the case: last week, the leading paid-to-click (PTC) survey firm admitted to a massive data breach involving virtually all of its users' accounts—roughly 6.6 million records in total. With so many giving in to the allure of easy money, PTC firms should be on top of securing privileged data of survey takers they're bankrolling. Let's find out how the top 5 compare when it comes to fulfilling this critical responsibility.

The breach—verified by Troy Hunt, creator of the popular data breach discovery engine Have I been pwned?—was first discovered on a post advertising the leaked data for sale. The complete payload purportedly consists of 6.6 million user records and source code from the website. Some examples of the data compromised include plaintext passwords, IP addresses, user birth dates, emails, payment methods, account balances, and payment histories. 

ClixSense has since issued a public notification explaining what the data breach means for its users:

What does this all mean? Simply put, your ClixSense account information is now much more secure. We did a forced password change as a precautionary measure and many of you have already changed your emails as well. If by chance you have used the same password here as other services (such as your email, Paypal or another PTC, etc..) please make sure you change these passwords too.

Thinking positively about the matter is certainly commendable, but does ClixSense's CSTAR ratings—as well as its competitors' scores—reflect a heightened state of security and enterprise resilienceLet's take a look at how each websites' perimeter security mechanisms stack up. 

Scan target's website Now

PTC Company Roundup

It's only fitting that we start with ClixSense—one of the largest and most popular PTC firms and the subject of this latest massive data breach. Launched in 2007, the company also pays users for clicking advertisments and completing offers. Payouts are handled through PayPal, Payza, and Paytoo.

1. ClixSense - 637 out of 950

CSTAR - ClixSense

ClixSense scores an average CSTAR score of 637 for a number of risky security flaws: Lack of HTTP strict transport security, HttpOnly cookies, and secure cookies could lead to various client-side exploits. Additionally, disabled SPF, DMARC, and DNSSEC leave its servers open to forgery.

2. iPoll - 618 out of 950

CSTAR - iPoll

iPoll—previously known as Surveyhead—offers giftcards, sweepstakes, magazine subscriptions, and PayPal payments in exchange for sharing opinions via online surveys. The website shares many of ClixSense's website perimeter security issues, along with server information leakages such as exposed X-Powered-By Header and ASP Net Version Header information.

3. MySurvey - 638 out of 950

CSTAR - MySurvey

UK-based uses a point-based compensation system for redeeming gift cards, cash coupons, and vouchers in exchange for completing online surveys. The company recently added webcam surveys to its range of money-making activities. 

Don't remove that piece of tape from your webcam yet—various security flaws in MySurvey's website security mechanisms leave it vulnerable to being compromised. Its CSTAR score of 638 is a result of various security flaws: server information leakage, lack of HttpOnly cookies and secure cookies, and disabled DNSSEC and DMARC, among others.

4. CashCrate - 315 out of 950

CSTAR - CashCrate

If this PTC's name isn't enough to sound off alarm bells, a CSTAR score of 315 should do the trick. The popular online survey and offer completion website suffers from a myriad of  website perimiter security flaws: lack of DMARC, DNSSEC, secure cookies/HttpOnly cookies, and the like. But unlike the preceding firms' websites, CashCrate lacks sitewide SSL—on top of leaving its server's filesharing ports open. 

5. DollarSurveys- 428 out of 950

CSTAR - DollarSurveys

And Company Name Most Likely to Attract Cybercriminals goes to... okay, it's probably a toss-up between this PTC firm and CashCrate. And like CashCrate, its abysmal CSTAR score is a result of website perimeter security issues common to most firms on this list plus lack of sitewide SSL.  


Any website or service that promises cash incentives or huge payouts is bound to get barraged by user signups and—invariably—cyber attacks. Unfortunately, the massive ClixSense data breach is likely the first of many to come, if these PTC firms' CSTAR scores are any indication. An organization's cyber risk posture is only as strong as its weakest IT assets; a firm's externally facing web assets are arguably the most visible and therefore brand damaging items to be compromised.

UpGuard's digital resilience platform ensures that faulty configurations and security gaps—planned or unplanned—never go unchecked. Get a free UpGuard account today to gain control and visibility into your entire environment, or try out the CSTAR risk grader web application and chrome extension to instantly validate your website's security posture.

Free IT Security eBooks

More Articles

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >

Topics: security, CSTAR, cyber risk

UpGuard Customers