The goal of cyber criminals is to scam as much money as possible without getting caught. I think that's obvious enough. One more way they cover their tracks is by hosting their malware on sites that aren't even theirs.
This is the hackers did in the Ameritrade email scams. Instead of setting up an entire site just for their malware-infecting purposes, they hacked into a golf site instead and tweaked it so that it served malicious scripts to unsuspecting site visitors.
One of these emails was intercepted by the folks over at Spyware Sucks. There are two variants of these messages currently in circulation. The first reads:
Your statement for your TD Ameritrade account ending in XXX7 is now available online. To view your statement (along with previous statements), please Log On to your account and choose “History & Statements” (under Accounts). Then click the “Statements” tab, select the appropriate month(s) under the “View statements” drop-down menu, then click the “View” button.
The second goes something like:
TD Ameritrade understands the importance of protecting your privacy. We are sending you this notification to inform you of important information regarding your account. If you’ve elected to opt out of receiving marketing communications from us, we will honor your request. Market volatility, volume, and system availability may delay account access and trade executions.
When you get unsolicited emails inviting you to do stuff like update your account or log in to fix some error, check who it's from and see if the links re-direct to a legitimate URL. Otherwise, hit delete or report it as spam ASAP.