Google Search Takes Me to Unsafe Website

Mark,

Thanks so much for a very helpful and informative reply. I will look into WOT and NoScript which both sound like excellent add-ons.

The Google search that I did was just the two items below. HSA stands for Health Savings Account

HSA Medigap

I just did the search again and the e-medigap dot com address shows up among the many hits. In fact, I think I can give you the entire address in parts to make this safe.

e-medigap dot com (where dot replaces the normal ".")

/medicare-supplement-quotes-blog/medicare-supplements-and-hsa-accounts

The second part would be added after the .com.

The malware that Avira quarantined was the following:

JS/iFrame.IS
TR/CRYPT.XPACK.GEN
TR/CRYPT.ULPM.GEN

I'm afraid to actually click on that link again as I spent a lot of time with Malware scans and other actions I take after those kinds of events. This incident feels like the worst malware related experience that I have had even though no harm was done. One wonders what might have happened had I clicked on the link they presented.

Thanks, Kent

I forgot to clarify that the site in question does not start with www.

So, there appears to be two versions of e-medigap dot com.

I'm speculating that www dot medigap dot com is safe while the other site may not be.

Kent

but you may be right.

I thought that www could be ignored by browsers nowadays as it was universal, and so the browser simply assumes www. in front of each address.

But whether it is different or not, the risk is too great in my mind.

Mark

I tried that, e-medigap dot com/medicare-supplement-quotes-blog/medicare-supplements-and-hsa-accounts and this is what I got;

http://img195.imageshack.us/img195/577/hsaa.jpg

I don't understand the difference between the link I gave and the one I just tried. It seems to be another page in the same web site, but nevertheless that is sufficient for me. My anti-virus picked up a trojan alert as shown in the image, "Trojan-Downloader.js.jscript.ab"

That is sufficient for me to say the web site is not safe and that you should consider searching elsewhere.

I've noted my rating at WOT. I think my NoScript may have saved me from the pop-up you got.

Mark

Mark,

You have really been a great help, and the image you posted showing the Trojan Alert certainly confirmed my experience. This definitely does look like a dangerous site. I intend to download WOT and get familiar with it.

I believe you suggested that the dangerous page with the Trojan may be part of the www.medigap dot com site. That is the interesting question.

I had the thought that the dangerous page and website could be separate and attempting to look the same. Seniors with Health Savings Accounts would be an obvious target for scammers.

Regards, Kent

is why I never saw this web site when I used the same search term that you did, eg - HSA Medigap but I live in the UK so it is likely my Google.uk search results differ slightly.

You may be right that the infected page is not part of the full web site but my feeling is that, if any visitor can get to that infected page thru' that web site, then the responsibility is theirs to ensure visitors are safe.

Glad I could help, and I wish you luck in your search for your medicare or mediaid solutions. I'm not sure which as I admit that, as a Brit, I don't understand US health services.

Mark

No one understands this area.
It is a mis-mash of semi-connected parts.
Each part controlled by a different fiefdom.......Bummer.

Mark,

I just brought up a Command Prompt and "Pinged" both www dot e-medigap dot com and e-medigap dot com. Both showed the same IP address, although the response showed www even for the second Ping so I can't be sure about what happened.

Many sites will time out if you leave out the www.

Another interesting experiment is to do a Google site:search:

Site:www.e-medigap.com
Site:e-medigap.com

The second search brings up primarily hits with www included.

It certainly does appear that the address I referenced is dangerous and should be avoided. Assuming we are not getting false positives on malware, the next question is whether that site has been hacked or whether the site intended to include spyware of some sort.

Regarding your Google search not finding the same site, perhaps our Google search histories are different enough to result in a different list of hits.

Regards, Kent

that I am getting confusing returns for this web site.

McAfee's Site Advisor comes up clean, http://www.siteadvisor.com/sites/www.e-medigap.com

WOT refuses to give any red markings in their "View ratings" page for Trustworthiness, here; http://www.mywot.com/en/scorecard/e-medigap.com

But have a look at this; http://www.unmaskparasites.com/security-tools/find-hidden-links/site/?siteUrl=e-medigap.com (page 2)

This is a site suggested to me and one I've not used before. My first visit there to search with the e-medigap.com url gave me this report; http://www.unmaskparasites.com/security-report/

That suggests the site is clean, but I went further on that page and clicked the "Additional Tests to reveal hidden spam links". What I got was the (page 2) link I posted in this post.

All green there, but can you see all the V iagra links, (sorry I had to spread that word out as the forum filters delete it otherwise), and Home Loans, Credit Cards, Cash Loans, and what the heck is "V iagra strip poker"??

I think I can see what is happening, and it is something you mentioned earlier. It is the banner advertising. I believe banner advertising is obtained through Google advertising or similar process and this web site has no control over what the banners advertise. They could do, it just needs a bit of work, but they are not doing it, and so any banner can either get you redirected to some scam site like Windows Security, or advertising for products that we continuously get spam emails for anyway.

So, may be the site itself is safe, but its advertising policy leaves much to be desired, and that again is a reason I would avoid it.

Mark

Thanks for the additional sites and the comments on advertising. I'll need to spend some time on those sites to understand the various results. Advertising could certainly explain the problem I experienced and it would be unfortunate if all sites are vulnerable to that risk.

You mentioned that your Google search never turned up the link that I referenced. I repeated the Google search on HSA Medigap and Google indicates there are 749,000 results! The problem link shows up on the first page for me here in the state of California.

Here is some other interesting information. A Google site search shows 62 results for www.e-medigap and 413 results for e-medigap

site:www.e-medigap dot com
site:e-medigap dot com

I'm still a little confused about why both www.e-medigap and e-medigap exist.

Here is a tool where you can look up the IP Address for any domain and other information is included.

http://www.mxtoolbox.com/DNSLookup.aspx

It appears that the two sites are one in the same. The www version shows domain type CNAME while e-medigap shows domain type A and is apparently under the www version.

Regards, Kent

whether you include the www. or not should get you to the same exact page unless some hacker has inserted some code.

If you use the link Mark just gave you and at the top of the page just beneath where it says Unmask Parasites beta enter each of these URLs you will note two slightly different warnings

Go here - http://www.unmaskparasites.com/security-report/ (Thanks for that Mark as I didn't have that in my "tools")

Enter these two one at a time (replace the *** with a dot):
e-medigap***com/medicare-supplement-quotes-blog/medicare-supplements-and-hsa-accounts

www.e-medigap***com/medicare-supplement-quotes-blog/medicare-supplements-and-hsa-accounts

After seeing what is said there take a look at the same two URLs by entering them at this link:
http://sitecheck.sucuri.net/scanner/?scan=e-medigap.com

I like Securi much better than Web of Trust as it actually scans the site rather than depending on member input.

PS - the latest AVAST also gets "real excited" when you go to either link.

but no thanks due to me. Carol over in S&V provided this online utility for me.

Mark

Ed,

I just ran the scans on both of the websites that you referenced after entering each of the two e-medigap URLs.

That is great information, and it is interesting that the two e-medigap URLs produce different results in each case. I agree that Securi is a great resource.

With Mark's help and your help, I think one can conclude that the referenced e-medigap site is definitely infected with malware. It is also nice to see that Avira, Zone Alarm, and AVAST all catch the problem.

I repeated the Google site search on e-medigap dot com and www.e-medigap dot com and noticed that the number of hits has declined for e-medigap. It has declined from 413 to 372 and now 370.

Lastly, I tried a Google site search as shown below and get 30 results. The dangerous URL shows up at the top of the list.

site:e-medigap.com HSA

Regards, Kent

Here is an update. Yesterday I sent an email to an address that I believe is affiliated with e-medigap and described the problem that I experienced.

Today I re-ran the four scans referenced above by Ed, and I believe the results are very different. Three of the four scans appear to show no problem. However, Securi still flags a problem on the e-medigap url without the preceding www.

Regards, Kent

to send an email as if they are genuine then they need to be aware of these problems.

But it's all confusing though isn't it with these differing results. I still suspect banner advertising, through some thing like Google Adwords or however web sites grab advertising. If so, then I bet that some of the banner advertising is fine and if the testing is done then, it might come up clean.

Let's see how they respond.

Mark