A few weeks back I received an email for an offer to review an Audit tool by a company named Netwrix. In exchange, the company said they would share my review with their 60,000 contacts which would drive some traffic to my blog. Shane and I researched the tool and it looked like something our readers might value, but we were skeptical of the email. We decide to proceed under the assumption this could be a phishing attack. We wanted to investigate (or just make contact with a legit business).

Email solicitation via our blog contact form.

Click to enlarge. Email solicitation via our blog contact form.

This message set off several red flags:

1. The company in question is in California. Making it 5am at the time the message was sent. It seemed unlikely.
2. I noticed a large bump in traffic from Russia the same day (not from California or any of the locations where the company is located). Traffic from this region was new for us and correlated exactly with this email.
3. I am always skeptical of strange English. Something about his email didn’t come across as a native speaker.

Contact with Alexandra

Upon second contact the “Head of HR” (Alexandra) reaches out to set up a phone call or skype. Presumably this is to set up a demo of the software they would like us to review. I ask Alexandra if we can set up a quick call to “establish expectations”. She says she is available immediately.

The Call:

Shane and I call Alexandra via the number in her email. Someone with a thick Russian accent answers. I ask for Alexandra, but the person seems confused, puts me on hold, and I am connected to “Alexandra”.

Alexandra explains they have been having technical difficulty and asks if she can call me back on my cell phone and asks for my number. She refuses to give product details or go into any further detail on this call. I offer to call her back, but she pushes for my number. I tell her that I have my business partner on the line and I need to call her back so he can join the call. She dances around the issue explaining that she they have technical issues. This all makes no sense and I am unable to get much more information from her. I thank her for her time and hang up.

Click to enlarge. Email from Alexandra.

Click to enlarge. Email from Alexandra.

Again, a number of red flags:

1. The whole call. The transfer. The bad English from “Head of PR”.
2. Asking for my mobile phone number. Refusal do give me hers.
3. Email responses were rapid. Who has time for that?

Our Investigation

Shane and I decided to do some digging and here is the circumstantial evidence we came up with:

Site Stats:

A recent bump in hits from Russia.

The Phone Number in Alexandra’s Email:

We traced the number in Alexandra’s email back to a VOIP solution (http://www.level3.com/). Indicating we could be calling anywhere and the person calling wasn’t tied to the area code.

Email Header:

The email header had ties to Russia. I have never seen this. Also, seemed strange for a California/US based company.

Email header with ties to Russia.

Email header with ties to Russia.

What was their end game?

After all of this one questions remained, if this was really a phishing or spam attempt: What was their end game? We have a few theories about what they were after:

1. To get us to get on a malicious webex session and try to get into our network.
2. A basic phishing exercise to get our information (who knows what they would have eventually asked for, credit card information?)
3. To get us to download a free malicious copy of their software.

On the other hand – this all could be bad third-party PR. What do you think?

Author’s Note: We can tell by the amount of press releases on Netwrix that contacting bloggers for product reviews is clearly part of the Netwrix marketing campaign. It looks like a good product so we have no problem with that. So if anyone from Netwrix reads this and we are wrong please let us know. Maybe we can even do a review.