A gang of criminals based on the West Coast is robbing banks in the East, using text messages and voice recordings to target small, local banks and credit unions.
Dublin-based mobile security company AdaptiveMobile has been investigating the gang, which has been in operation for the past five years.
The gang starts out by getting a phone number in their target bank's area code to send the text message from.
In the message, they ask account holders to click on a URL or call a phone number. The phone number takes them to a voice recording that asks them for all their account details -- up to and including ATM PINs.
"It's a form of social engineering," said Cathal McDaid, head of data intelligence and analytics at Dublin-based AdaptiveMobile. "People will tend to trust a message if it seems to come from the local bank."
They deliberately schedule the messages to go out in the evenings, on weekends, and during holiday periods, when the banks are likely to be closed.
Christmas, New Year, and Martin Luther King Day are particularly targeted, said McDaid.
Not only are the banks more likely to be closed then, but customers might be spending money and have heightened concerns about their credit and bank accounts.
Plus, since the banks are small, they're not likely to have staff manning the phones during the off-hours to answer questions.
In addition, the phone message specifically asks the customer to wait 24 hours before contacting the bank.
The wording of the text messages changes, to avoid filters designed to screen out spam. But a typical message might say that the account has been deactivated, and they need to visit a particular web page or call a certain number.
On a cell phone, it might be harder for a person to tell that the domain name is similar to, but not exactly that of the bank. And the fake website looks like the actual bank site, McDaid added.
AdaptiveMobile has calculated that over 110,000 people have been targeted over a four-month time period starting this past October.
"The conversion rate doesn't have to be very high," McDaid said. "It's more than enough to pay for itself."
He estimates that the banks have had several million dollars worth of losses.
This Wednesday, the company will be presenting a visualization of these attacks at the RSA conference. It is an animated view of how the attacks spread from region to region and bank to bank.
"We're trying to figure out what's actually happening," McDaid said. "How exactly they're doing this, how they implemented it, and what types of banks they're targeting."