The FireEye researchers wrote:
After compromising the VFW website, the attackers added an iframe into the beginning of the websites HTML code that loads the attackers page in the background. The attackers HTML/JavaScript page runs a Flash object, which orchestrates the remainder of the exploit. The exploit includes calling back to the IE 10 vulnerability trigger, which is embedded in the JavaScript. Specifically, visitors to the VFW website were silently redirected through an iframe to the exploit at www.[REDACTED].com/Data/img/img.html.............For the time being, people should avoid using IE 10 whenever possible, at least until more information becomes available. In general, people who must use IE for compatibility reasons should already use IE version 11, since it has security protections not available in earlier releases. People should also strongly consider switching to another browser altogether.
New zero-day bug in IE 10 exploited in active malware attack, MS warns (updated) | Ars Technica