I'm guessing they used XSS to perform the man-in-the-middle attack and snatch the username+password+security code, but initially it didn't work on the journalist's computer because he had NoScript installed.

On my first read, I thought it was just shoddy editing, but I think you're definitely on the right track with this.

From what little I could glean, it sounded like the attackers used some kind of CSRF attack that required the target account to log in.

IDG probably logged in with NoScript enabled, preventing the attacker's script from being run by IDG's browser. Disabling NoScript allowed the CSRF attack to work properly. The website was merely an unwitting pawn.