The IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine.
I'm guessing they used XSS to perform the man-in-the-middle attack and snatch the username+password+security code, but initially it didn't work on the journalist's computer because he had NoScript installed.
From what little I could glean, it sounded like the attackers used some kind of CSRF attack that required the target account to log in.
IDG probably logged in with NoScript enabled, preventing the attacker's script from being run by IDG's browser. Disabling NoScript allowed the CSRF attack to work properly. The website was merely an unwitting pawn.
The IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine.
Oh my.