Phishers casing a bank often spend unusual amounts of time on a site they wish to target, or use automated tools to quickly download a copy of every page on the site. Corillian also pays special attention to suspicious bank Web site traffic on weekends, when most phishers conduct their reconnaissance, Maloney said.
To look more authentic, many fraudulent Web sites also link directly to high-quality images on the targeted bank's real site. By scouring the bank's Internet logs for "hits" from unauthorized sites using their customers' images, the company often can locate a fraud site while it is still being built.
Phishers nearly always verify stolen information before selling it on the black market, so when Corillian spots someone accessing numerous online bank accounts from the same Internet address, the company notifies the bank that those accounts have likely been compromised.
Alliance partner NameProtect, also based in Portland, watches for signs that phishers are incorporating its clients' trademarks by monitoring spam and domain-name registrations and by trawling the Internet for counterfeit bank sites that are still in production.
In mid-2004, NameProtect inked a deal with MasterCard International to track the underground market for credit card information. Since then, the company has helped MasterCard find tens of thousands of stolen account numbers, said Sergio Pinon, MasterCard's senior vice president of global security.
NameProtect also shares most of its intelligence with the U.S. Secret Service and the FBI. Last year, the company helped authorities track down and shutter dozens of fraud-enabling Web sites that trafficked in more than 1.4 million stolen credit card numbers.
One of NameProtect's closest competitors, San Francisco-based MarkMonitor, last July launched a new service to help customers keep their brand names out of phishers' hands by monitoring online chat rooms and Internet-address registries to spot potential scam Web sites. MarkMonitor uses this data as evidence to convince registrars to transfer ownership of the domains to the companies that own the trademarks.
MarkMonitor, which is not part of the Anti-Fraud Alliance, also is rolling out another service called Identity Tracker, which can search the company's millions of Internet address records to connect a fraudulent or infringing site with the site's creator or owner.
Phishers who register domain names that contain trademarked words usually purchase the sites under false identities -- often using the credit data and identities of previous fraud victims. But Mark Shull, MarkMonitor's president and chief executive officer, said that in many cases scam artists reuse at least one piece of information with each registration, usually an e-mail address. By correlating registration data for a known fraud site against millions of other records, the company often finds that the same individual has registered dozens or even hundreds of addresses that could be used in future attacks.
"In many cases there are sites out there that give you the true identity or at least some piece of real information about whoever is behind it," Shull said.