Gartner clients have reported a "significant rise" over the last two months in the use of stolen credentials to access accounts, wrote fraud expert Avivah Litan in a blog post Thursday.
The hackers are trying to access systems related to credit cards and financial data, digital currency, travel rewards and high-end fashion -- "anything and everything that has monetary or resale value," Litan wrote.
The type of attack is not new, but the methods are making it more difficult to detect.
Sweeping attacks that try out thousands of stolen account credentials are usually detected and blocked quickly. But the fraudsters are going in low, slowing the pace of attacks and distributing attempts to gain access through a large number of computers.
"The average online retail attack will only use an IP address 2.25 times now before moving on to the next IP address," Litan wrote.
Account credentials may be tried only once or twice an hour from different endpoints on a botnet over days or weeks, a technique that makes the attempts appear less suspicious and harder to identify.
Other times, the fraudsters use networks associated with popular cloud services whose IP addresses are not considered malicious and will not be blocked, she wrote.
Device fingerprinting, a technique that involves mimicking certain parameters of a device to evade detection, is also slipping under the radar. Fraudsters who know a person's credit card details will try to access a service from an IP address in approximately the same geographic area that they live, for instance.
The account credentials used in the attacks are likely being obtained from data breaches at major services. Litan cited the discovery of a gang likely based in Russia called CyberVor that amassed 1.2 billion login credentials and 500 million email addresses from a variety of services.
The discovery was made by Hold Security, a Wisconsin-based firm that also detected major data breaches at Adobe and Target. Many observers shrugged off the discovery and questioned Hold's motives rather than "confronting the gravity of this finding," Litan wrote.
For companies trying to defend their properties, Litan said there are security systems on the market that can beat some of the new techniques. They include cloud-based systems that aggregate the metadata for IP addresses and devices used for transactions, and "deflection," a technique that scrambles website code and makes it harder for attackers to identify weak weak points.
Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk