Thorsten Holz, one of our partners in our Sunbelt CWSandbox has published a good paper on the underground economy.
We study an active underground economy that trades stolen digital credentials.We present a method with which it is possible to directly analyze the amount of data harvested through these types of attacks
in a highly automated fashion. We exemplify this method by applying it to keylogger-based stealing of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present the first empirical study of this phenomenon, giving many first-hand details about the attacks that were observed during a seven-month period between April and October 2008. This helps us better understand the nature and size of these quickly emerging underground marketplaces.
You can read the paper here. Heise has also done a writeup on this paper (here).
Alex Eckelberry