In fact, 51% of Web sites infected with malicious code are actually legitimate, but compromised, Web sites. This is actually a stark increase from the 30% or so of infected legitimate sites the company reported for the first half of 2007.
So this means that miscreants -- because the Web site security and development practices of conventional businesses are negligent -- don't even have to go through the trouble of developing and hosting a Web site, or even the bother of deluging everyone with spam designed to lure folks to a Web site trap.
No, all they have to do is find a trusted site that's already vulnerable. And that, unfortunately, seems all too easy.