Cyber Incident Victim: The Times of Israel

On September 18, 2014, The Times of Israel and The Jerusalem Post online newspapers were compromised by a malvertising campaign that redirected visitors to exploit kits delivering malware. The attack originated through malicious advertisements served on the newspapers' websites, leveraging their high traffic volumes—The Times of Israel alone received approximately 12 million monthly visits, predominantly from U.S.-based readers. The infection chain began when users accessed specific article pages, such as a Lady Gaga-themed post on The Times of Israel, which triggered a series of redirects through ad networks including Google Tag Services, DoubleClick, and Zedo. These redirected users through domains like amazon.wiab-service.se (masquerading as Amazon Web Services) to final payload servers hosted on oppieposmedism.uni.me and domainsfullkolls.biz. The Nuclear Exploit Kit deployed Flash, PDF, and Internet Explorer exploits to install malware, with evidence suggesting simultaneous involvement of the Fiesta Exploit Kit based on URL patterns.

The final payload, detected as Trojan.Agent.BPEN by Malwarebytes Anti-Malware, was identified as the Zemot Trojan. This malware established communication with command-and-control servers at warzine.su and wildkit.su, while also abusing Google’s pubads.g.doubleclick.net service. The attack exploited vulnerabilities in common software to deliver the trojan, which Malwarebytes Anti-Exploit successfully blocked during its execution phase. Malwarebytes Labs researchers documented the full redirection chain and infrastructure, including deceptive domain names mimicking legitimate services, and promptly notified both affected newspapers about the compromise. No specific containment measures or post-incident actions by the publications were disclosed in the available data.