SFAR Target of "phishing scams"

Over the past 24 hours, SFAR members have been the target of a series of invalid emails called "phishing scams". These emails are carefully made to look like legitimate messages from the organization being attacked. Often the message will use corporate logos, identifying information (such as spoofed 'sender' email addresses) and recognizable names in order to lure in victims.

Please note that these messages are NOT coming from SFAR servers, or our offices or vendors. The emails appear to origniate from email servers in South America (Columbia) and contain a link to either a PDF, or Zip file that can infect Windows Computers with a virus or ransomware.

How can I spot that it's a phishing attack?

When you hover over the link in the email, it will not look like a www.sfrealtors.com URL, and the email contains many errors that should alert you to the fact that is not from us:

2016-05-18 18 42 24-FW San Francisco Association of Realtors - Internet Explorer

Has "the server" been hacked?

Valid question, regarding "the server". Unfortunately it's not that simple. The two main databases: our membership system and the actual MLS itself, are hosted by third parties and we have verified that they have not been compromised. Inside the office at SFAR on Grove St, we don't keep the data that would be used for this kind of attack. Nonetheless we are checking our corporate network (Domain Controllers, etc..) anyway to ensure we are not exposed.

The problem almost certainly stems from the use of MLS data feeds we provide to vendors and brokers. We carefully vet vendors, but cannot vet each and every broker feed that we provide. These data feeds by necessity contain the identifying information for agents (email addresses, phone numbers, etc...).

We are examing ways of reviewing the security of the feeds, but unfortunately because a list has been extracted already, shutting off the feeds would simply hinder regular commerce.

What can I do to remove the virus?

At this time, it appears that only Windows computers are vulnerable. If you do not have current Anti-Virus software installed, your best bet is to use a web-scanner (try http://housecall.trendmicro.com) to remove the virus and then install a good AV client (AVG, TrentMicro, etc...) after the virus has been removed. There is little SFAR can do directly, as the attack is not coming from us.

What can I to protect myself in the future?

Make sure, as a general practice, that anytime you receive an invoice (from any company) that does not look identical to prior invoices or comes at a time when you are not expecting to be invoiced, that you hover over any links to see where they are pointed. If the links do not match the name of the company sending you the email, use caution. If there is ever a question, don't hesitate to phone us, or email us, first.

We are very sorry that this attack may have affected you, and are in the process of a full security audit of our systems just in case we were the source of the leaked email addresses (at this time, we have zero reason to believe any of our systems internally were compromised). We will keep all of the members up to date as we investigate and follow up with authorities at https://www.us-cert.gov/report-phishing.

Jay Pepper-Martens
Director of MLS & IT for SFAR

News

SFAR Target of "phishing scams"

Site Map

Help

Company

Contact