Yup, not surprised at all.
You don't even have to pay them actual money. Just give them so many points per piece of malware/spyware/toolbar/search engine change/etc., (give them more points to keep it installed for a month or longer) which they can save up and cash in for crappy quality merchandise and gift cards for major retailers.
You can even pay them points for filling out "surveys" and ask them loads of personal info about any topic, such as their finances. You already have a username/email address, and a password they created on your site (still plenty of idiots out there that will use the same combo for every account they have), and a street address they gave you for where to ship them the gift cards & other junk. Just ask them a bunch of info about their pets, their family, what they think of certain banks and toss in a couple of multiple choice questions about which bank they use and how much money they currently have in their account. Just keep sending them surveys and giving them points, till you have social engineered enough info out of them that you can do whatever you want. While they are out using that $10 gift card you gave them, you'll be logging into their account at their bank's website and doing whatever you want, resetting their email password, taking over their Twitter/Facebook/whatever accounts, etc. You can even make some extra money on the side by getting companies to pay you to send them some legit surveys.
yes, if I were evil, I'd be truly dangerous.
