Have you, by chance, made any purchases from monoprice.com this year between Feb 1st and March 16th? If so, there's where you should look for your source of the problem.
I had a mere $3.00 in $1.00 separate transactions against my Discover card on iTunes, which I knew were fraudulent purchases because a) my iTunes account had a "most recent purchase date: 12/31/09", and b) it isn't linked to my Discover card, but in fact my bank issued Visa card, and c) I had a $10.05 left on a $15 iTunes gift card remaining (to this day) on the account, so there was no need for a CC purchase in any case.
That same day I also had a discrepancy of $700 or so between my available credit and the credit limit minus known purchases, so I called Discover to have them go through ALL transactions with me, as that $700 was not showing up on my recent transactions page like all my known purchases were.
One of the unknown purchases was $148.45 at Old Navy, a place I'd never shop at because it's overpriced and doesn't really have much that I like. The other was a $539.40 purchase from MacWarehouse.com (CDW.com platform branded site). I haven't bought anything online for my Mac Pro since I ordered new RAM last year to upgrade to 7 GB.
The final set of transactions were those three $1.00 iTunes transactions.
All of this in one day, and I got very lucky in that because I check my CC "credit available" vs. "current balance", I caught these fraudulent transcations less than four hours from their post time! Yikes.
The cause of all this was a data breach at monoprice.com affecting customers that made purchases supposedly between the two dates I listed at the beginning of this post. I have a feeling it either has continued to be a problem, or was a problem prior to those dates, since I'm still hearing about people hit by this odd rash of theft that almost always seems to include iTunes transactions.
The common factor to check for with your CC company is this: All unknown transactions - were they done "online, by hand"? That was the common factor in my case.
In my case there was also one very ill timed twist to go into this already horrendous mix. Exactly two weeks prior to my CC info being stolen and used, I had obtained a new Fry's credit card. Well, Fry's credit cards require, for some stupidly unknown reason (perhaps their middle east owned banks aren't allowed to even touch Experian, Equifax, or TransUnion?) that you provide a valid CC # in full as "verification that you are credit worthy". Well in my case, that # was my Discover card that was used fraudulently online for the above purchases. This caused me to erroneously accuse the Fry's employees of CC theft (Sunnyvale Fry's, NoCal). Needless to say I was not pleased at making a fool of myself like that. But it does go to show that you need to constantly check your balance vs. available credit online and check them against each other.
Anywho, yeah, you're going to need a new CC#. Not much you can do about that, nor is there much I can do about it since I had to do the exact same thing with Discover. Thankfully I'm not liable for it since I caught it so fast. Hell, I caught it so fast that Discover actually thanked me and overnighted me a new card. I now use their online CC# generator exclusively when shopping online. That way only the merchant that the generated # was used for can ever use it again. That number cannot be used anywhere else, or for any purchase not related to the original purchase (the only purchases that a single online number can be used repeately with are recurring subscriptions). I highly suggest that if Amex has such a feature, that you use it. I guarantee it's worth the initial hassle of setting it up.
Anywho, good luck to you, and remember, always check those account details, daily if you can!
When a Priest says they're going to Flash you, it isn't for healing.