Its only a few pennies for a 100 social security #s. So infecting a PC w/ malware that can send data back and forth, whether its instructions to infect other PCs or DL info back to the bot herder is pretty simple in terms of hiding it from anti-virus software. Cuz all you have to do is make little changes, so its undetectable for the mean time. Places that are easy to attack are third-party companies that take the insurance risk of holding major companies' customer information. These third-party companies become compromised and then turn into real-deal spam mailers.
Chasing these people is very hard, because they use rogue ISPs that mask their clients' IP addresses and spoof their whois info, while the hackers can jump between these ISPs to mix it up.
Russia was able to cripple all communications, internet, and some place power grids of the country, Georgia. That's true cyber-terrorism. The same goes for China. They can shut-down internet and communications within itself to stop mass panic for example the latest Muslim rebellion in the north and Tibet demonstrations.
The US just passed a law to allow the same. Stating that its for the purpose of stopping the spread of a global/super-virus or worm, but its more like public censorship. The times are changing for better or worse, its changing fast.