On point 6, which I agree with, I would add:
7) install the ad-aware and the like plugins to your browser, and if using chrome make sure to have "Enable phishing and malware protection" enabled.

Typically the ad blockers like adware still enable "trustworthy" ads like google adsense, and blanket block anything else. It isn't a perfect fix, but it has saved me from malware in the past, and I usually do my browsing on a Mac. (Most known exploits for mac involve web browser exploits)

To explain this a bit further, most people misunderstand this market and how it works.

A good many times passwords and information have been stolen through malware, which is distributed through browser exploits, such as by embedding in ads on otherwise legitimate (if poorly managed) websites. This information isn't necessarily stolen by the gil sellers directly (though it could be), but rather the people stealing the information are known to sell it to many such companies. E-mail addresses, common id's associated with them, and any passwords, (not to mention personally identifiable information that can be used for identity theft) are all valuable commodities that aren't merely stolen for direct use, but for sale value.

This is what most who people who assume that this is the result of falling for the gil sellers miss: this isn't a self-contained company. There is a literal black-market of account and personal information, that is traded or sold by these companies, who in turn use any and all means needed to acquire not a single persons personal account, but as many peoples accounts as they can. It is data mining at its worst. They don't care about a single phish. They want as many people as they can get. If this were about just the people who fell for it, the market would dry up very quickly through normal security measures.