Researchers at Finjan's Malicious Code Research Centre have notified US media company CBS that one of its online pages has been compromised in this way.
"The injected script then dynamically injects an IFrame that pulls malware from a remote server locating in Russia," said Yuval Ben-Itzhak, Finjan's CTO.
Finjan has taken the criminal server offline, but the attack confirms that code hidden in legitimate websites poses a serious threat to internet users, he said.
According to Finjan, the use of obfuscated code or code written in such a way as to make it difficult to detect, is increasing.
Such code is effectively hidden in legitimate websites because the function of the code is not clear because of the way it is written and it by-passes traditional signature-based malware detection methods.
The attack on the CBS website highlights that no website can be totally secure against a system hack and consequent infection of visitors' PCs, said Ben-Itzhak.
Finjan said all businesses should install a secure web gateway to protect valuable data from being compromised by malware and conduct regular malware detection audits.
All users are advised to exercise caution when visiting Web 2.0 enabled sites such as social networking sites and not to rely on signature-based security software.
The best defence against this rapidly growing attack method is to use proactive, behaviour-based IT security technology that analyses every piece of content.