Hackers automatically create pages with popular keywords (breaking news...) based on resources like Google Trends. They create networks of crosslinked bogus pages hosted on compromised, legitimate websites. When a crawler comes along the page is fed to the search engine.
When a user is redirected to the URL by a search engine, the site detects that this is a normal browser access and redirects the user to malware sites. A paper by Sophos explains the technique.