They can use proxies to make the entries appear from a completely different system, or sometimes abuse different login methods to that website. For example, awhile back, while Twitter itself DID lock you after multiple failed attempts, you could attempt to login via TweetDeck or Mobile Web Twitter an unlimited amount of times.
They use botnets that distribute the attacks from dozens of source IPs and attack multiple targets simultaneously in attempt to get a successful login.
The bots then attempt random login attempts using different username and password combinations. Hackers know full well that 3-5 attempts will likely lock out an account and that would possibly alert an admin that something is going on, so they program the bots not to try the same user account 3 times in a given period.
Between thousands of different usernames, and thousands of different passwords, against thousands of potential targets, sooner or later they’ll get a successful login.
Also it’s a little known fact that the ‘Administrator’ account in Active Directory can’t be locked out, so they brute force that account non-stop.
Those systems have been put into place to prevent brute force attacks, they aren’t everywhere.
Also, websites frequently store passwords, etc, in an encrypted database. This is supposed to stay private to their servers, but sometimes those databases get stolen. Once the database is stolen, it is just a file — the hackers have a copy on *their* computer, so they don’t put any rate-limits into *their* software, which they use to attack the database. This is where they can really go crazy with the brute-forcing.
A common method is to intercept your login over the network or wifi. That login is encrypted into a hash. Now they compare that hash to rainbow tables (known passwords). To brute force, they don’t have to login, they know what encryption your system uses and will run possible passwords into another program using the same encryption until they get a matching hash.