And a fair amount of the blame for the growth of the approach rests on the administrators of those trusted sites.
That is, the malware that makes cross-site scripting (XSS) attacks possible can't get onto legit sites unless a vulnerability exists there.
The vulnerabilities do exist of course -- Symantec reports over 11,000 such individual site vulnerabilities in just the last six months of last year.
But -- and it's a big one -- the failure of the site administrators to patch known vulnerabilities is as big (or, from a business competency perspective, bigger) a problem as the malware.
As Symantec points out about the site vulnerabilities, "only 473 (about 4 percent) of them had been patched by the administrator of the affected Web site..."