Exactly. It's the ads embedded on a website, Drudge among many others. The ads run a JavaScript program. It the program is not sandboxed, it gets control of your browser and redirects to a new page that has the malware download from that new page. It's a big problem with ads on websites. The ad companies really need to do a better job, but they are lazy.
Laziness and an unwillingness to spend money on people who know enough about code to detect the problems.