It's injecting the malicious script into the source of http pages. With httpS, this is not possible unless you also change the root certificate of the computer.