Cyber Incident Victim: The Jerusalem Post

On September 18, 2014, a malvertising campaign impacted the websites of 'The Times of Israel' and 'The Jerusalem Post', two prominent online news platforms. The attack originated from malicious advertisements injected into the sites' advertising networks, leveraging legitimate services like Google Ad services (pubads.g.doubleclick.net) and Zedo (d3.zedo.com) to deliver exploit code. Visitors to affected pages, such as a Lady Gaga article on The Times of Israel, were silently redirected through a multi-stage chain involving domains like amazon.wiab-service.se (disguised to resemble Amazon Web Services) and oppieposmedism.uni.me. The final payload utilized the Nuclear Exploit Kit to deploy exploits targeting vulnerabilities in Adobe Flash, PDF readers, and Internet Explorer, ultimately installing the Zemot Trojan (detected as Trojan.Agent.BPEN). Malwarebytes researchers confirmed the campaign also exhibited characteristics of the Fiesta Exploit Kit through specific URL patterns (domainsfullkolls.biz), suggesting potential overlap between multiple exploit kits.

The Zemot Trojan established communication with command-and-control servers at warzine.su and wildkit.su, enabling unauthorized remote access to compromised systems. Malwarebytes Anti-Exploit successfully blocked the exploitation attempts during analysis, while Anti-Malware identified the final payload. The incident’s scope was significant due to The Times of Israel’s estimated 12 million monthly visits, primarily from U.S.-based readers, though the exact number of affected users remains unspecified. Researchers notified both newspapers about the malvertising activity, though no details regarding their internal remediation actions or downtime were disclosed in the available report. The attack demonstrated threat actors’ ability to abuse trusted advertising infrastructure to distribute malware at scale, compromising user devices through drive-by downloads without requiring direct interaction.