The proportion of websites secretly harbouring malware has reached one in 3,000 according to security firm Kaspersky.
It found a surge in the number of web-based attacks in 2010, with more than 580 million incidents detected.
Risk was no longer focused on sites with illegal content, such as pirate films and music, the report said.
Instead, criminals were increasingly using legitimate websites, such as shopping and online gaming.
The malware writers target vulnerable web servers, with owners often unaware of the attack, said Ram Herkanaidu, senior security research at Kaspersky Lab.
"They will put a piece of Java code, for example, onto a website and scramble it so it is hard to notice.
"The Java code runs when you visit the site and redirects the user to malware," he said.
"Previously you could avoid these attacks by not visiting dodgy websites.
"Today the malware writers are targeting legitimate ones," added Mr Herkanaidu.
Kaspersky's figures are based on reports from customers who have joined its security network.
The rise in incidents of web-based attacks far outstripped the number of new members in 2010, indicating the increasing threat, said Mr Herkanaidu.
"It has become the cyber crooks' attack of choice," he said.
The threat from cyber crime is being taken increasingly seriously by government officials.
Last week, the UK government published figures estimating that cyber crime costs the economy £27 billion a year.
Earlier this month, European Union researchers said almost a third of computer users had been infected by malware in the past year.