I <think> the way it works is they send every new poster on CL an email making it sound like an interested buyer. You reply via email. And so do at least 60-90% of the CL ad posters. Then scammers go ahead and start trying a couple of passwords. Their bound to hit after a couple of million, wouldn't you think?
I got hacked on hotmail. After some CL listings. And then I got spam. Then a bunch of friends got requests for a few large to get me home for Spain after getting rolled by a gang. Of course, they called me, but they were going to wire money over (ya, tech dummy friends, but good friends nonetheless).
So, now I still post on CL, but state in all ads that the buyer needs to reply with a phone number and when it's a good time to call back. I never answer a CL ad via email. And when I call back, I set my phone at anonymous.
I could be wrong, but I would also say if they had a keylogger on my pc, they would have been able to get much more than a stupid hotmail address. None of my threat software ever picked up anything.