For the first time, legitimate Web sites compromised by attackers made up the majority of sites used to spread malicious programs, security firm Websense said in a report published on Tuesday.

In the past, massive attacks aimed at Web sites typically involved defacements by online vandals. Yet, as online crime increasingly becomes motivated by profit, defacements have given way to finding ways to insert iframe redirection code or compromise a site to host malicious software. Earlier this month, for example, security firm Finjan warned that hackers had bypassed security on at least 10,000 legitimate domains to install the Random JS infection toolkit.

Which should be no surprise to anyone. We moved from kids using pings-of-death, DoS, system vandalism and general mischief to complex rootkits that own the box, evade defenses, and keep it a viable platform for attacks that generate criminals revenue. Why would the evolution of the motivation for web attacks follow a different path?