Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Resolved Question

Google Search Takes Me to Unsafe Website

Feb 23, 2012 3:43AM PST

Recently I did a Google search on the Terms HSA Medigap and received many hits. The preview on one hit looked helpful so I clicked on the link.

My system is WinXP, Firefox 9, and Avira Anti-Virus software.

Avira immediately flagged one or more Trojans and I quarantined them. At the same time, the website put up an apparently fake banner labeled Windows Security Center and said it detected Rootkits and other Malware, and suggested that I "Click Here" to remove them. I immediately shut down the browser.

Here is my question. The site address started with the term e-medigap dot com followed by additional text.

I've also found that www dot e-medigap dot com exists and is likely a legitimate site.

Is there any way to determine if e-medigap dot com is indeed dangerous? There is also the issue of false positives and perhaps the site is OK.

On the other hand, is it possible that e-medigap dot com is posing as a legitimate site but is in fact not safe?

Lastly, do any of the large search engines detect malware and attempt to filter out those hits?

Many thanks, Kent

Discussion is locked

KAWill70 has chosen the best answer to their question. View answer

Best Answer

- Collapse -
This one
Feb 23, 2012 5:11AM PST

seems fine; http://www.e-medigap.com/ WARNING! See my additional note below my signature.

I use WOT, Web of Trust add-on for Firefox and when I did a Google search of your term i got this;
http://img18.imageshack.us/img18/9885/examplemedigap.jpg

Notice the (mostly green) circles at the right of each entry in the list. Green tells me that WOT users consider this safe. Red circles warn me away. In addition, if I accidentally visited a site marked red, WOT would then immediately display a pop-over window to warn me that they consider this unsafe. It is then for me to decide to back away or continue.

I wasn't sure if your search term was "Terms HSA Medigap" or "HSA Medigap", but I tried both and the first few pages showed no red WOT warnings.

I didn't specifically see e-medigap.com in either search list, so I Googled e-medigap.com itself and the first link and others relating to the same site all showed the green WOT.

Now, WOT is not conclusive. It is what WOT Members, (like us WOT users), think of web sites and so it is open to interpretation and sometimes open to spamming either for or against certain web sites. But that can be reflected in an Orange WOT spot which helps us to decide whether to risk it or not.

I decided that e-medigap.com (the link I gave at the top of my post), was genuine and visited the web site. I had a quick look at the web page source and couldn't find anything to suggest that this was a redirect, or a scam or anything else, so I felt quite comfortable with it.

You notice my ImageShack image of the Google search that there are no adverts displayed. I use Firefox's AdBlockPlus to remove all web site advertising, and especially in Google and other search engines, because we are aware that search engine advertising can be risky for us users.

One more Firefox add-on I use, NoScript. This prevents all scripts in a web page from loading when I visit the web page.I have to physically allow the scripts from a warning bar at the bottom of the browser to see the full web site. But I can allow 'all scripts temporarily" so that, when I leave the web site, they are all removed. I only allow scripts permanently on web sites I myself trust, eg this CNET web site. Some web sites need scripts, and using CNET as an example again, if didn't allow scripts I could not log in.

You did good in avoiding that "Windows Security Center" scam as it is well known, and causes no end of trouble. And it is good to know that your anti-virus picked it up, even though it was a web page. It seems anti-virus scanners are, at last, able to identify these scams.

As to Google redirecting, you can only be sure about that by trying another Google search, perhaps for an unrelated search term. I suspect that this one slipped through Google's net.

I hope that helps.

Mark

Addendum;

Now here's a strange one, and a good example of where the WOT Community 'may' get it wrong.

In that medigap web site there is a large button which says "Compare". When I clicked that a new page opened to domain search dot com page and WOT popped up with a red warning. I don't know why though because when I visited the WOT score card at http://www.mywot.com/en/scorecard/domainhelp.search.com there was little if nothing to say why it was considered dangerous. In addition this domainhelp search page shows links to it's parent company CBS and to CNET, also CBS owned. I'm not convinced WOT is right about this, but that said, it slightly worries me.

- Collapse -
Additional Information
Feb 23, 2012 6:47AM PST

Mark,

Thanks so much for a very helpful and informative reply. I will look into WOT and NoScript which both sound like excellent add-ons.

The Google search that I did was just the two items below. HSA stands for Health Savings Account

HSA Medigap

I just did the search again and the e-medigap dot com address shows up among the many hits. In fact, I think I can give you the entire address in parts to make this safe.

e-medigap dot com (where dot replaces the normal ".")

/medicare-supplement-quotes-blog/medicare-supplements-and-hsa-accounts

The second part would be added after the .com.

The malware that Avira quarantined was the following:

JS/iFrame.IS
TR/CRYPT.XPACK.GEN
TR/CRYPT.ULPM.GEN

I'm afraid to actually click on that link again as I spent a lot of time with Malware scans and other actions I take after those kinds of events. This incident feels like the worst malware related experience that I have had even though no harm was done. One wonders what might have happened had I clicked on the link they presented.

Thanks, Kent

- Collapse -
P.S.
Feb 23, 2012 7:00AM PST

I forgot to clarify that the site in question does not start with www.

So, there appears to be two versions of e-medigap dot com.

I'm speculating that www dot medigap dot com is safe while the other site may not be.

Kent

- Collapse -
I'm not sure
Feb 23, 2012 7:16AM PST

but you may be right.

I thought that www could be ignored by browsers nowadays as it was universal, and so the browser simply assumes www. in front of each address.

But whether it is different or not, the risk is too great in my mind.

Mark

- Collapse -
Stay away!
Feb 23, 2012 7:13AM PST

I tried that, e-medigap dot com/medicare-supplement-quotes-blog/medicare-supplements-and-hsa-accounts and this is what I got;

http://img195.imageshack.us/img195/577/hsaa.jpg

I don't understand the difference between the link I gave and the one I just tried. It seems to be another page in the same web site, but nevertheless that is sufficient for me. My anti-virus picked up a trojan alert as shown in the image, "Trojan-Downloader.js.jscript.ab"

That is sufficient for me to say the web site is not safe and that you should consider searching elsewhere.

I've noted my rating at WOT. I think my NoScript may have saved me from the pop-up you got.

Mark

- Collapse -
Thank you!!
Feb 23, 2012 12:52PM PST

Mark,

You have really been a great help, and the image you posted showing the Trojan Alert certainly confirmed my experience. This definitely does look like a dangerous site. I intend to download WOT and get familiar with it.

I believe you suggested that the dangerous page with the Trojan may be part of the www.medigap dot com site. That is the interesting question.

I had the thought that the dangerous page and website could be separate and attempting to look the same. Seniors with Health Savings Accounts would be an obvious target for scammers.

Regards, Kent

- Collapse -
The only thing I don't understand
Feb 23, 2012 7:06PM PST

is why I never saw this web site when I used the same search term that you did, eg - HSA Medigap but I live in the UK so it is likely my Google.uk search results differ slightly.

You may be right that the infected page is not part of the full web site but my feeling is that, if any visitor can get to that infected page thru' that web site, then the responsibility is theirs to ensure visitors are safe.

Glad I could help, and I wish you luck in your search for your medicare or mediaid solutions. I'm not sure which as I admit that, as a Brit, I don't understand US health services. Happy

Mark

- Collapse -
US health services
Feb 23, 2012 11:32PM PST

No one understands this area.
It is a mis-mash of semi-connected parts.
Each part controlled by a different fiefdom.......Bummer.

- Collapse -
Two other comments
Feb 24, 2012 3:50AM PST

Mark,

I just brought up a Command Prompt and "Pinged" both www dot e-medigap dot com and e-medigap dot com. Both showed the same IP address, although the response showed www even for the second Ping so I can't be sure about what happened.

Many sites will time out if you leave out the www.

Another interesting experiment is to do a Google site:search:

Site:www.e-medigap.com
Site:e-medigap.com

The second search brings up primarily hits with www included.

It certainly does appear that the address I referenced is dangerous and should be avoided. Assuming we are not getting false positives on malware, the next question is whether that site has been hacked or whether the site intended to include spyware of some sort.

Regarding your Google search not finding the same site, perhaps our Google search histories are different enough to result in a different list of hits.

Regards, Kent

- Collapse -
Well I have to say
Feb 24, 2012 8:50PM PST

that I am getting confusing returns for this web site.

McAfee's Site Advisor comes up clean, http://www.siteadvisor.com/sites/www.e-medigap.com

WOT refuses to give any red markings in their "View ratings" page for Trustworthiness, here; http://www.mywot.com/en/scorecard/e-medigap.com

But have a look at this; http://www.unmaskparasites.com/security-tools/find-hidden-links/site/?siteUrl=e-medigap.com (page 2)

This is a site suggested to me and one I've not used before. My first visit there to search with the e-medigap.com url gave me this report; http://www.unmaskparasites.com/security-report/

That suggests the site is clean, but I went further on that page and clicked the "Additional Tests to reveal hidden spam links". What I got was the (page 2) link I posted in this post.

All green there, but can you see all the V iagra links, (sorry I had to spread that word out as the forum filters delete it otherwise), and Home Loans, Credit Cards, Cash Loans, and what the heck is "V iagra strip poker"?? Happy

I think I can see what is happening, and it is something you mentioned earlier. It is the banner advertising. I believe banner advertising is obtained through Google advertising or similar process and this web site has no control over what the banners advertise. They could do, it just needs a bit of work, but they are not doing it, and so any banner can either get you redirected to some scam site like Windows Security, or advertising for products that we continuously get spam emails for anyway.

So, may be the site itself is safe, but its advertising policy leaves much to be desired, and that again is a reason I would avoid it.

Mark

- Collapse -
Reply
Feb 25, 2012 3:33AM PST

Thanks for the additional sites and the comments on advertising. I'll need to spend some time on those sites to understand the various results. Advertising could certainly explain the problem I experienced and it would be unfortunate if all sites are vulnerable to that risk.

You mentioned that your Google search never turned up the link that I referenced. I repeated the Google search on HSA Medigap and Google indicates there are 749,000 results! The problem link shows up on the first page for me here in the state of California.

Here is some other interesting information. A Google site search shows 62 results for www.e-medigap and 413 results for e-medigap

site:www.e-medigap dot com
site:e-medigap dot com

I'm still a little confused about why both www.e-medigap and e-medigap exist.

Here is a tool where you can look up the IP Address for any domain and other information is included.

http://www.mxtoolbox.com/DNSLookup.aspx

It appears that the two sites are one in the same. The www version shows domain type CNAME while e-medigap shows domain type A and is apparently under the www version.

Regards, Kent

- Collapse -
As Mark previously indicated ...
Feb 25, 2012 5:18PM PST

whether you include the www. or not should get you to the same exact page unless some hacker has inserted some code.

If you use the link Mark just gave you and at the top of the page just beneath where it says Unmask Parasites beta enter each of these URLs you will note two slightly different warnings

Go here - http://www.unmaskparasites.com/security-report/ (Thanks for that Mark as I didn't have that in my "tools")

Enter these two one at a time (replace the *** with a dot):
e-medigap***com/medicare-supplement-quotes-blog/medicare-supplements-and-hsa-accounts

www.e-medigap***com/medicare-supplement-quotes-blog/medicare-supplements-and-hsa-accounts

After seeing what is said there take a look at the same two URLs by entering them at this link:
http://sitecheck.sucuri.net/scanner/?scan=e-medigap.com

I like Securi much better than Web of Trust as it actually scans the site rather than depending on member input.

PS - the latest AVAST also gets "real excited" when you go to either link. Wink

- Collapse -
You're welcome,
Feb 25, 2012 8:40PM PST

but no thanks due to me. Carol over in S&V provided this online utility for me.

Mark

- Collapse -
Excellent Tools
Feb 26, 2012 5:50AM PST

Ed,

I just ran the scans on both of the websites that you referenced after entering each of the two e-medigap URLs.

That is great information, and it is interesting that the two e-medigap URLs produce different results in each case. I agree that Securi is a great resource.

With Mark's help and your help, I think one can conclude that the referenced e-medigap site is definitely infected with malware. It is also nice to see that Avira, Zone Alarm, and AVAST all catch the problem.

I repeated the Google site search on e-medigap dot com and www.e-medigap dot com and noticed that the number of hits has declined for e-medigap. It has declined from 413 to 372 and now 370.

Lastly, I tried a Google site search as shown below and get 30 results. The dangerous URL shows up at the top of the list.

site:e-medigap.com HSA

Regards, Kent

- Collapse -
Contacted Website
Feb 28, 2012 4:20AM PST

Here is an update. Yesterday I sent an email to an address that I believe is affiliated with e-medigap and described the problem that I experienced.

Today I re-ran the four scans referenced above by Ed, and I believe the results are very different. Three of the four scans appear to show no problem. However, Securi still flags a problem on the e-medigap url without the preceding www.

Regards, Kent

- Collapse -
Good idea
Feb 28, 2012 9:17PM PST

to send an email as if they are genuine then they need to be aware of these problems.

But it's all confusing though isn't it with these differing results. I still suspect banner advertising, through some thing like Google Adwords or however web sites grab advertising. If so, then I bet that some of the banner advertising is fine and if the testing is done then, it might come up clean.

Let's see how they respond.

Mark

- Collapse -
Answer
Continue here.
Feb 28, 2012 9:18PM PST

We've reached the forum 'sub-thread' limit for replies, so any more can be posted below this one.

Mark

- Collapse -
Website Responds
Mar 1, 2012 5:00AM PST

Mark,

I heard back from the website and they thanked me for notifying them about the problem. They actually have three websites which were all affected, and they believe someone may have gained access to the passwords. It sounds as though they have spent quite a bit of time securing all three websites.

My note was actually to GoMedigap which appears to have multiple websites. I just scanned e-Medigap using Securi and Unmask Parasites and things look much better, with only one warning remaining on Unmask Parasites.

This has been an interesting experience and I learned quite a bit.

Thanks, Kent

- Collapse -
Nice work
Mar 1, 2012 7:56PM PST

and thanks for letting us know.

It's a good effort all round I think and a lot of work put in by all here.

I hope you managed to get the information you needed which you were originally looking for, but I would still give this site a bit of breathing space to sort all their problems out.

Mark

- Collapse -
You might point them to ...
Mar 3, 2012 1:40PM PST
- Collapse -
Summary
Mar 4, 2012 4:03AM PST

Thanks once again Mark and Ed for your help.

I did pass along the Unmaskparasites and Sucuri website information to my contact at GoMedigap. The costs certainly would be reasonable for the services provided.

I noticed that Sucuri caches previous scans and it may be necessary to do a Rescan. The scan now comes up clean for e-Medigap.

In reply to Mark, I did receive the information initially requested.

1. It was confirmed that the referenced site contained dangerous Malware. The site was apparently hacked by someone with ill intent.

2. The major search engines can take one to an unsafe website. We didn't discuss whether any of those sites detect Malware or blacklist certain sites. Even if they did, a new attack could still present a risk.

3. Tools are available to help any user of a computer. Tools could include a browser add-on such as WOT, or the use of websites that can scan a website or web address.

Regards, Kent