With digital goods it's probably easier to illegally copy them from victim's machine after they've been (legitimately) purchased, so they are more likely obtained via password grabbers.
I imagine stealing paysites' credentials is a sort of a bike theft of the criminal web - low profit, low risk.
I never figured it out. It is tempting, but nothing I would ever risk myself. There are also a ton of new scams such as "buy this MacBook pro for full price, cancel the order then send me $300 in bitcoin and I'll send it to you" (I know I butchered that process)
The thing is my question would be how stupid it would have to be for things like spotify -- which, being streaming media, is shitty to run across a VPN, and if you were using carded goods on your home computer, traceable back to you easily, when the dispute for unauthorized use hits..
