Gemini Interactive caught distributing malvertizements

You may recall that I theorised that the URLs for the malvertizements that were displayed at classmates.com may indicate that the malvertizements were supplied by Gemini Interactive (cite: http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550951.aspx)  You may also recall that all of the malvertizements that I found at classmates.com featured myjewelrybox.com.

I have received, by email, a copy of an advertisement that was supplied by Gemini Interactive for display on several websites.  An analysis of the advertisement that I have received indicates that it contains malware actionscript code.  Also, the SWF features myjewelrybox.com (cite: http://www.adopstools.com/index.asp?page=quicklink&id=ARCI83U67Z7LN8D3)

Please exercise caution when accepting advertising for your web sites. At the very least you should run each and every advertisement that you receive through the online click checker at adopstools.com and potentially save yourself a lot of grief.

 

Published Thu, Mar 27 2008 23:23 by sandi
Filed under: , , ,

Comments

# re: Gemini Interactive caught distributing malvertizements

Friday, March 28, 2008 5:06 AM by Conrad Longmore

geminiinteractive.net = 89.149.242.64 which is Netdirekt E.k

But, the name servers (e.g. MANAGEDNS1.ESTBOXES.COM) are all on Atrivo/Intercage who are VERY well known for malware through their relationship with Esthost / Estdomains.

Even if you didn't know this, a look at the WHOIS entry for geminiinteractive.net raises so many red flags then even someone with basic technical knowledge could see them. The domain was registered in March 2007, there are no contact details on the registration, no contact details on the site, Googling them shows now footprint etc. These are basic due diligence steps that anybody should do when scoping out a business partnet!

# re: Gemini Interactive caught distributing malvertizements

Friday, March 28, 2008 5:54 AM by sandi

Hi Conrad,

Nice to see you here, and yes, I read your blog :)

Unfortunately the people who sell advertising time for websites are not technically proficient - they are salesmen and women.

Slowly but surely the awareness is building as education campaigns ramp up, but its a slow, painful process.

Sometimes I wish for the simple old days of home page and search engine hijackings, aberrant toolbars and basic BHO based drive-by downloads.

Sandi

# re: Gemini Interactive caught distributing malvertizements

Friday, March 28, 2008 12:02 PM by n-blue

I don't know if there was a previousely report about malicious attack hosted on Google Group. But if you're interesting, please take shot look at:

n-blue.nblogz.net/security-warning-google-group

# re: Gemini Interactive caught distributing malvertizements

Monday, March 31, 2008 3:55 AM by Conrad Longmore

Hi Sandi,

I'm glad someone reads it :)

It seems to me that a combination of Adops Tools + VMware + a Linux distro + WHOIS are the basic tools of the trade for checking these things out. It's just a question of getting the steps out to people who buy and sell ads! (errr, OK, that's the tricky part I suppose!)

# re: Gemini Interactive caught distributing malvertizements

Tuesday, May 20, 2008 5:44 PM by Olivier

Hi everyone

I'm in contact with somebody at geminiinteractive.net who wants to buy advertising on my web site; I'm just a salesman ;-), but what you say makes me freak about working with Gemini...

Do you know somebody anywhere who has a real experience with them?

Thank's for your advices.

Olivier

# re: Gemini Interactive caught distributing malvertizements

Tuesday, May 20, 2008 10:39 PM by sandi

@ Oliver

Read this:

msmvps.com/.../1550951.aspx

My personal opinion, as somebody deeply involved in studying and reporting on malvertizements, is that Gemini Interactive is highly suspicious and should be treated with extreme caution.

As you see from this blog entry, I have been given a copy of an actual advertisement supplied by Gemini Interactive to a web site, and that advertisement was malicious.

Sandi

# re: Gemini Interactive caught distributing malvertizements

Tuesday, June 10, 2008 11:02 AM by Bernard from Canoë (Montréal, QC).

Answering Oliver : Gemini interactive sign me a 100 000 $ deal in March 08. The contact : Jono Magat. They never sent the material (maybe it's a good thing). So, I had to cancel all the reserved impressions. I still don't understand why they did that. The phone number I had is not responding, neither than Jono's email of course...