Fraudsters, who work day and night to steal identities, credit card information and any other online credentials they can monetize, have created an underground malware industry so efficient that one major Internet security firm now calls it “fraud-as-a-service.”

Like legitimate software-as-a-service, the computer tools are offered through the underground industry in an increasingly commoditized fashion, easy to host and deploy, according to RSA, the security division of EMC.

The wide array of resources made available by enterprises over the Web, along with the dual use of computers for personal and business use, “opens the door for Trojan infections” and puts organizations at “an increased risk of data loss,” RSA said in its May monthly report from its anti-fraud command center.

The firm-which claims to have shut down almost 300,000 phishing attacks and protects more than 300 organizations-said that its latest analysis found compromised e-mail addresses at 60% of the Fortune 500 companies and that 88% of the domains used by those same companies had been infected to some extent by the Zeus keystroke-logging Trojan alone.

Credit unions, however, seem to be falling out of favor a bit with phishers, drawing only 4% of attacks on U.S. financial institutions in March, down from 22% in March 2009 and compared with 57% on national banks and 39% on regional banks, RSA said.

The company also said that while evidence of an infected machine or e-mail address does not mean that it's being used for fraud, the potential is there.

“The big question remains: What are cyber-criminals doing with this information once it lands in their hands?” RSA said in its report. “We've witnessed a sharp increase in the number of posts in the underground attempts to sell different types of corporate data to other criminals.”

–[email protected]