I would expect to see a code snippet on host sites which does a bit of pass-through disguising, so that what used to be "iframe src=skeezy_virus_mill.ru" looks local. That seems consistent with the arms race in progress...
Some sites do this already. Either with a locally hosted snippet or by doing a CNAME in their DNS that points to the third party so it looks like it's from the same domain.