core.insightexpressai.com trojan

[fischymac]

Malware in my Safari -- core.insightexpressai.com

I've posted about this in an old thread, but I'm afraid it might be missed. The original poster's concerns were dismissed, but I think this is clearly some form of malware that is attempting, at least, to intercept/hijack or otherwise compromise my attempts to log in to my AOL mail. I am concerned that might not be the only site affected.

I won't get into a battle of semantics as to what form of malware this might be, but this is some form of malware. I have encountered it today on my computer -- in Safari. It appears to be an attempt to redirect me, presumably to an unsafe site. When I first open and when I open other sites on Safari, I seem OK -- but, when I try to access my AOL mail, I get this message:

"Safari can't verify the identity of the website "core.insightexpressai.com".

The certificate for this website is invalid. You might be connecting to a website that is pretending to be "core.insightexpressai.com", which could put your confidential information at risk. Would you like to the website anyway?"

Then, there's 3 buttons: Show Certificate -- Cancel -- and -- Continue

Per directions I saw elsewhere, I removed "all website data" under Safari preferences, but I keep getting this warning.

If anyone could suggest a solution to remove what is some sort of infection/hijack effort, I'd be thrilled.

 

[Lifeisabeach]

I won't get into a battle of semantics, but this is some form of malware. I have encountered it today on my computer -- in Safari. It appears to be an attempt to redirect me, presumably to an unsafe site. When I open Safari, I am OK -- but, when I try to access my AOL mail, I get this message:....

<snip>

There is no malware on your Mac. It's a problem with AOL or a message in your AOL mail. Either they are compromised somehow, or there is a hidden tracker in one of your emails. Or something like that. Sorry to be vague, but it is NOT malware on your computer. The mere fact that you only have this problem when trying to access your AOL email is evidence alone of that. Try the tip provided from the discussion on Apple's site below:

https://discussions.apple.com/thread/5032075

Quit Safari. Force quit if necessary.

Relaunch Safari by holding down the shift key and clicking its icon in the Dock. That will stop the bad page from reloading automatically. From the menu bar, select

Safari ▹ Preferences... ▹ Privacy ▹ Remove All Website Data

to get rid of any cookies or other data left by the server. Open your Downloads folder and delete anything you don't recognize.

 

[fischymac]

Already attempted...

As I wrote in my post, I already attempted the directions you provided -- to relaunch the browser and then remove all website data. I still get the warning. Also, that warning comes before I've even logged in. All I have to do is put in "mail.aol.com" into the browser bar. So, either AOL is totally compromised -- so that I get this redirect attempt before I even get to the site -- or, it's my computer. The latter seems much more likely, or there would be a flood of people writing about this.


I'm not saying it's only aol. I'm saying that's where I'm encountering it. I'm a little leery of accessing other sites that might require passwords....like, for instance, my banks.

Any further thoughts?

 

[cradom]

There is no virus. See the discussion here: http://www.mac-forums.com/forums/os-x-operating-system/288908-core-insightexpressai-com-trojan.html

 

[jennycphoto]

a little hesitant

I'm also experiencing this issue today. I've downloaded the flashplayer update from Adobe website, which is the only out of ordinary thing I've done today. I do notice my internet running extremely slow and normally isn't I have a fast connection with my fios service. I also am a little worried to access password protected sites.

Any resolutions yet?

 

[cradom]

I just went to mail.aol.com and looked at my LittleSnitch Network dropdown. Look at the red arrow. This is a ad network or a cookie that AOL sets on their page. It's probably putting up a pop-up window or your particular Safari cant resolve the cert for the site.
This IS NOT malware. It is something on the AOL mail page. I would suggest you take this up with AOL.

 

[fischymac]

Thanks for your help. Still don't understand why I'm getting a warning about this -- or why the warning says the certificate for the core.insightexpressai.com website isn't valid. But, I guess I won't freak out about it.

 

[chscag]

The resolution is to get another ISP mail provider other than AOL. I'm not even sure why AOL is still in business with their horrible customer support and poor practices.

 

[dro1996]

Thanks all for the suggestions and explanations. I followed the advice of poster lifeisabeach……

Safari ▹ Preferences... ▹ Privacy ▹ Remove All Website Data

and once I did this I no longer am getting the pop up when I go to the AOL log on screen.

 

[Lifeisabeach]

Thanks for your help. Still don't understand why I'm getting a warning about this -- or why the warning says the certificate for the core.insightexpressai.com website isn't valid. But, I guess I won't freak out about it.

It may have expired or been a temporary bug. Maybe just flawed information in the cookie AOL was using. Network connectivity issues related to whatever server used to verify their particular certificate. *shrug*

 

[MacRiver]

thanks everyone

Thanks to all who have been posting. I was able to locate the core.insightexpresssai.com item in my Safari privacy settings showing its cookies and plug in. So far I've removed it on my laptop and now it works! But please note that it didn't actually work until I restarted the computer. So for anyone still having an issue with it, try a restart.

 

[vansmith]

Odds are, given your usage patterns, you'll come up against it again. However, it's little different than other ad platforms. Insight Express is simply an ad platform - it's nothing malicious (website).

 

[Corvette63]

FISCHYMAC & MACRIVER: I, too, received the following message (yesterday, 12/10) when I attempted to access AOL MAIL via Safari:

Safari can't verify the identity of the website "core.insightexpressai.com".

The certificate for this website is invalid. You might be connecting to a website that is pretending to be "core.insightexpressai.com", which could put your confidential information at risk. Would you like to the website anyway?

No disrespect to those on this site who dismiss this issue. However, (as has been generally stated earlier in this thread), even a cursory search on the 'net reveals DOZENS of references to "core.insightexpressai" being a malicious "browser hijacker." I'm not saying it. They're saying it, including some commercial aniti-virus software sites. They all can't be wrong!

I share the sentiments of those on this thread who express hesitation in accessing password-protected sites, fearing potential security problems. Despite my exhaustive research, I can not find a definitive reason to believe this may not be a security issue, other than people telling me "not to worry." Kinda reminds me of the time I entered an Apple Store to buy my first Mac and casually asked about viruses. The guy looked at me like I had three heads, laughed and said, "Sir, this is an Apple store. Macs can't contract viruses."

Yeah. OK.

 

[Lifeisabeach]

Odds are, given your usage patterns, you'll come up against it again. However, it's little different than other ad platforms. Insight Express is simply an ad platform - it's nothing malicious (website).

Exactly. A lot of malware exists to get unwitting eyeballs to view ads, and those ads have to be served up by someone who will also be paying the malware writers for those eyeballs. This doesn't mean the company serving up those ads wrote the malware themselves or are even aware that they are a party to this, but their name is "tainted" as a result.

 

[Lifeisabeach]

FISCHYMAC & MACRIVER: I, too, received the following message (yesterday, 12/10) when I attempted to access AOL MAIL via Safari:

Safari can't verify the identity of the website "core.insightexpressai.com".

The certificate for this website is invalid. You might be connecting to a website that is pretending to be "core.insightexpressai.com", which could put your confidential information at risk. Would you like to the website anyway?

Well are you receiving that error TODAY? If not, then refer back to an earlier post where I suggest possible reasons for that to have happened. Even if you are, again, refer back to that post and even the one I just made a moment ago. Just because some malware authors have served up ads in the past from Insight Express doesn't mean EVERYTHING associated with them involves malware. There are many reasons to have gotten that message, not all of which involve malware.

EDIT: and technically, there are no viruses that can infect OS X. There is a handful of malware that include worms and trojans, but no viruses.

 

[vansmith]

The Better Business Bureau gives Insight Express an A+ rating (here).

Let's also remember that Safari doesn't recognize a lot of certificates. Try setting your clock ahead a few years and watch Safari complain about every single certificate it comes across. Remember - Safari complaining about a certificate does not mean that you've got a virus or that you've been hacked.

I just set the year on my computer to 2037 and this is what happened when I went to Facebook:


Facebook did not become a malicious website. The only thing that changed was the date on my computer which, being after the expiry of the Facebook certificate, made the certificate appear invalid.

 

[Corvette63]

Fair enough, however the "pop up" did not warn about "insight express." It warned about "core.insightexpressai," which, according to dozens of credible sites, is a malicious browser hijacker. Furthermore, the "pop up" appeared while attempting to access AOL mail, not the aforementioned BBB "A+" site.

Mac's don't get "viruses," by strict definition? OK, but whether attributable to a virus, trojan, worm or Grandma's ravioli, malicious software is nasty. It took a long time (too long!), but I'm glad the guys with the blue t-shirts at my Apple store are finally admitting it. It's sad to see Apple experiencing the problems that plagued Windows for years, but the only reason why Macs were thought to be "immune" for all those years, is because the criminal hackers weren't targeting them.

I hope the Apple guys are more aggressive and vigilant than Microsoft was in addressing this unfortunate and pernicious increase in harmful bugs, which is now finding its way into the Apple-sphere.

 

[vansmith]

Fair enough, however the "pop up" did not warn about "insight express." It warned about "core.insightexpressai," which, according to dozens of credible sites, is a malicious browser hijacker. Furthermore, the "pop up" appeared while attempting to access AOL mail, not the aforementioned BBB "A+" site.

I didn't say that it popped up at the BBB site - I included that to reaffirm what has been said here which is that Insight Express is a normal company, not some malevolent entity.

Mac's don't get "viruses," by strict definition? OK, but whether attributable to a virus, trojan, worm or Grandma's ravioli, malicious software is nasty. It took a long time (too long!), but I'm glad the guys with the blue t-shirts at my Apple store are finally admitting it. It's sad to see Apple experiencing the problems that plagued Windows for years, but the only reason why Macs were thought to be "immune" for all those years, is because the criminal hackers weren't targeting them.

I hope the Apple guys are more aggressive and vigilant than Microsoft was in addressing this unfortunate and pernicious increase in harmful bugs, which is now finding its way into the Apple-sphere.

This is all tangential and while you make an important point, none of this is directly relevant to something that happens normally with certificates.

As for the "evidence" online, it's all of questionable quality. This website seems to equate a domain name with malware which is just laughable (that's like me saying that the Ford factory is responsible for how people use their cars) and the second result I found is Yahoo Answers which is, well, Yahoo Answers.

Let's deconstruct this. The core.insightexpressai.com domain is owned by Insight Express (source), "an advertising company that is part of a network of sites, cookies, and other technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web" (source). Sounds bad and shady until you realize that many companies do this including Google. Returning for a moment to the root of the supposed "malware," most complaints say that the "malware" redirects you to that website suggesting, as many websites do, that this changes your DNS settings. I'm willing to bet that this isn't actually the case. If you go to System Preferences > Network > click your adapter > Advanced > DNS, what does it list?

 

[Lifeisabeach]

No disrespect to those on this site who dismiss this issue. However, (as has been generally stated earlier in this thread), even a cursory search on the 'net reveals DOZENS of references to "core.insightexpressai" being a malicious "browser hijacker." I'm not saying it. They're saying it, including some commercial aniti-virus software sites. They all can't be wrong!

So if it's on the internet, it must be true...

 

[MacInWin]

They're saying it, including some commercial aniti-virus software sites. They all can't be wrong!

No, but they all could be selling something to "fix" the problem.