Most of the users who succumb to these avenues of credential theft probably have passwords easily guessed by modern smart brute-force all-source "dictionary attack" tools (which all have character replacement algorithms to deal with the "clever" passwords that are still actually easy for these recent tools), surely available in the darknet somewhere if not easily found on the normal nets.
i.e. people who just don't understand basic system security. It's not difficult to keep Windows clean (don't any of you start singing the praises of *nix or anything dammit! although that too helps 😛), but your safety also demands passwords that algorithms just can't get because there is no essential human-understood reference (which is what makes it easy for the current algorithms).
But it also helps having some basic security - I keep most of my regular browsing in Chrome because I love the integration and it's snappy, and I like the extensions I do have. For browsing anywhere I find possibly suspect, it goes into Firefox (private browsing mode), where noscript locks things down tight. Still have to have caution because for many sights you have to allow through noscript, which removes the security. But most sites themselves are fine, it's something embedded that has a proxy or another web source entirely, and that link is blocked until given permission. I only allow the most minimum number of given webtraffic at any site until I can fully utilize what I need. Might even leave basic google ad links or anything denied, everything but the core experience. And you obviously have to be careful about what websites you even trust the core web data.
and of course keeping Javascript, Flash, Adobe Reader, and any other plugin of that nature always up to date. One can practice all safe tips, forget those and stumble upon a website making use of a security flaw that exists in your version but not in the emergency patch that was released the other day, and succumb to a wide range of malware.
