the simplest malware is a website

i have never done it, but known people that have and it is so simple and never catches a single eye

you download and install wordpress and set up a good strong blog, set up a free user based subscription and that is it

most computer/internet users have 1-5 email addresses and two of those are used more than the rest

most users have three main passwords and two others

passwords vary by user based on the three security password configs, any number letter combo six keys or more, must have a letter and a number and the last that adds the special character requirement

for example, depending on the website requirements a normal user may have these three main passwords

password
password123
password123$

when they sign up for your blog, they are likely using their secondary/spam catch email and one of those main passwords

when they signed up for a bank account, paypal or another main service, they used their main email and one of those passwords

a word press site that requires a special character, number and text has just about gotten all three passwords by simply working backwards, don't spam the subscribers and ask them for a second recovery email account after thirty days and you will have the primary email, probably, if not, that is a pretty easy find on the internet

no viruses, no Trojans or keyloggers, just human nature and the inability to remember too many damned passwords

i have know developers to take it one step further and modify the sign up process, the signup would keep telling the person that the email was already in use three times and get three email addresses and then the password setup script was modified to be a real pain and say no to the simple password, asking for a capital and number, then after that password, add the special character request and boom, three main passwords and three email addresses, worse case scenario, the person gets frustrated and leaves the site