As recently mentioned in the Sophos Security Threat Report, 80% of the websites where we detect malicious content are innocent sites that have been hacked.
A trend that we have observed is that hackers will insert their malicious code into legitimate JavaScript (not to be mixed up with Java!) hosted on the website.
The JavaScript is automatically loaded by the HTML webpages and inherits the reputation of the main site and the legitimate JavaScript.