Malware designed to steal passwords has shot up 400% in the past year, according to research by security firm McAfee.
Password-stealing attacks have matured and cybercriminals are using advanced techniques to capture the login details of people shopping and banking online, the report said.
Players of online games are now the most targeted group, the report said, with a growing underground economy based on the trade of virtual game goods.
New techniques include using malware to take screen shots as users enter login details and hijacking websites to deploy fake pop-ups which request personal information.
Spam is one of the main distribution methods for seeding password stealers. Hackers use mass mailings of fake invoices and other spam to trick recipients into opening attachements that download malware.
The spam mail's topic is often tailored to the target audience, exploiting trends, political news, or topics localised for targeted countries, the report said.
"The evolution of password-stealing malware is driven by a cops-and-robbers game between cybercriminals and online banking institutions," the report said.
But, according to the researchers, more security does not necessarily bring about better usability.
"The contrary is usually the case, as the introduction of yet another security mechanism usually complicates things for users, eventually discouraging them," the report said.
Financial institutions and other online service need to find a better compromise between security and usability, the report said.