Noah: OK, I just re-read both the Zero Day piece and the alert from WebSense and the way they worded this is very confusing. They say the exploit site is *similar* to the domain name for Google Analyitcs, then they put the legitimate URL as a parenthetical remark. I assumed the parenthetical was the attack site (again, not that Google Analytics access via any of its correct names is anything other than a legitimate statistics service).
You are correct, Noah, is just apparently a CNAME alias for which is then used to bounce users to the analytics page on the main domain.
Neither Zero Day nor Websense actually reveal the name of the active exploit site. In fact, if you try to suss it out from the screen shot on the Websense alert, they have intentionally blurred out the domain name of the attacker. This is infuriating as there is no practical way to verifiably defend oneself from this attack.