A company called RT66 appears to be injecting code into secure Web-sessions, possibly with collusion from ISPs like CMA Communications. No one's sure how they're doing this, neither RT66 or CMA are answering questions, and it's bad news all around.