"The attackers appear to be using compromised websites"
There should be some kind of certification process required before a website is allowed on the internet. Even basic questionnaire would suffice, something along the lines of:
-Does the website run as root?
-Are any of the website's resources marked as 777 (Or anything else idiotically loose like that)?
-Are users allowed to upload files with +x permissions?
-Is the admin page accessible by everyone?
Any of those should be grounds for the website being denied from serving pages to the world. It bothers me how many websites out there are set up where the process serving pages is also granted permissions to modify the files it is serving or even files outside of the website's directories. Or in some cases, CGIs that run as root and have both write and execute turned on.