This type of intranet CSRF hack is super easy to pull off since you only need to place specially-crafted URLs inside of an HTML image tag and post it to any public website. MySpace, WebMail, blogs, message boards, etc. all would make great avenues for snare the unsuspecting. Who knows where the victims in this case were originally exploited. The first person to notice only did so by using ping and spotted an odd IP address.
If we get a third event in rapid succession, I’d say that’s the start of a trend. Perhaps we should start advocating a new best practice, host-based egress rules. Little Snitch works great on OS X. In fact, I’ve already started implicitly blocking intranet connections from my browser specifically to my DSL router IP. Hopefully the browser vendors will give the remaining 99.99% something soon by default.