I do not know about the malware sites, but I do know for a fact that they do try to scam the hotel's themselves.
The way the scam usually works is that they send an email asking for rooms for four or five people for a ten day period, then asking for the total cost of this and whether the hotel accepts credit cards. As the hotel has no way of know if this is a scam or not, they have no choice but to reply in case it is a legitimate request. When the scammer receives the response, they then send back a message saying that due to some problems with transferring money, they are unable to get money to the travel agent. They would like to give the hotel a credit card number for the hotel to charge, (room and tax plus a small token for their help) and forward the rest on to their travel agent.