Brian Krebs has a post on his "Security Fix" blog, on the subject of password thieves.
I based the story [on the epidemic of data theft] in part on a cache of stolen data I found online (more on how I obtained it in a bit). The data was being compiled by a password-stealing virus that had infected many thousands of computers worldwide; the particular text file that I found included personal information on 3,221 victims scattered across all 50 U.S. states.
Using a custom-built application that makes use of the Google Maps API, I was able to chart the approximate locations of the victims. This was possible because at the beginning of each record was the virus's best guess of the longitude and latitude of the infected computer's Internet address. ... Scammers collect information about the location of their victims because it becomes useful when they want to conduct fraud with a hijacked credit or debit card account. The idea here is to evade a key component of fraud detection in the financial industry -- transaction location tracking.
The victim I lead the story with works as an engineer for the Architect of the Capitol. On Jan. 19., the scammers tried to use his stock investment account to purchase thousands of shares in a penny stock for an adult entertainment company (AVTR.PK). This activity was directly related to a "pump-and-dump" scam, where the bad guys use spam to tout the value of small cap stocks that they've just invested heavily in with someone else's money; when the price goes up, the crooks sell off their shares, flooding the market with the stock, which usually causes anyone who has heeded the advice of the spammers to lose any money they invested.
My analysis also turned up login information for Accurint.com, a consumer database company used by many police departments and investigators to track down individuals. Imagine the damage an identity thief could do from looking up the Social Security numbers and other sensitive data on as many Americans as he wants. Fortunately, I was able to get in touch with the gentleman who owned the Accurint credentials, an investigator with an Alabama district attorney's office, who changed his password before the thieves had a chance to use the account.
So how did I find the stolen data online? I found it by scanning a piece of malware containing the crafty virus that I received via e-mail. I submitted the malicious software to the Norman Sandbox, which attempts to deconstruct malicious programs and provide information about any lines of communication the malware tries to establish online. In this case, the scan showed that the malware tried to transmit data stolen from infected machines to a Web site in Germany. Sunbelt Software's "malware sandbox" was equally helpful in understanding how this virus worked.