Google Maps: Still Too Easy to Spam
Spammy SEO tactics are the bane of our existence. They are the bane of Google’s existence, too. Over the years, Google have been investing significant amount of money and man-power to fight system abuse related to Google Maps. While they are getting close to where they should be, Maps seems to need some more anti-spam work done. A few days ago, Mike Blumenthal shared (privately, hence no link) on Google+ an obviously fake Google Maps business listing. The listing could have been found here, but was removed a few days after Mike’s post, after numerous reports. Here is how the listing looked:
The fact itself that the listing has been removed is positive. However, it took at least 8 reports, and more than 3 days for it to be taken down. It took one person – the spammer, 1-2 days to get it up and live. The fact itself that it is still possible to create such a listing is worrisome. I decided to investigate.
I tried to learn as much as possible about the spam tactic, so that I could reproduce it. Based on the Map Maker record of the listing I managed to learn that the listing had been created just a few hours before Mike’s Google+ post. The listing was originally created as a church, under the name “Bell of God Church”:
From previous conversations with other SEO’s that mentioned they knew of people that claimed they could create listings in any city, and by any business name, I knew the following:
– The spammer needs to have control over the phone number
– The spammer chooses himself/herself the exact location of the listing
– This tactic was for sale at $3,000
Based on the information I had, I was able to figure out the process. Thus, this article is probably worth $3,000 per reader, which makes it one of the most expensive articles you will ever read.
How I did it
I started by creating a brand-new Google account. I didn’t clear my browsing history, cache, or cookies, so that Google could potentially track me and understand I am using a new profile (although I already have at least one other profile). The username I chose was firstname.lastname@example.org and my “real” profile name was “Adam Sandler”. My profile picture featured a head shot of The Zohan in action:
This was all done deliberately.
After I had the account created, I went to Google Map Maker, and added a new “Place”. The location I chose was somewhere in the middle of Brooklyn, NY, because my US phone number is related to NYC. I named my “business” Johnny’s Mocha, a café. I did this on 11 February, at about 3am EST.
The same day, at about 8am EST, I received a call from the following phone number – 650-253-2000. This is Google Maps’ business information verification phone number. I had a brief chat with a male with thick Indian accent (Google’s call centers are in India), who asked me to confirm:
– That I was Johnny’s Mocha
– My business’s address – I had initially placed it incorrectly on the map (there was no street address), so he update it based on his own recommendation (he added street number 1000)
– If the business was a café
All my answers were “Yes”.
Two minutes after the call, the listing was live, on Map Maker and on Maps:
I went to the listing’s Google+ page (here) and claimed it. I was able to choose between phone and postcard verification. I obviously chose phone. After I claimed the listing, I edited the business name to “Why Oh Why Big G”. No further verification was required. Currently the listing looks like this:
Why I am posting this publicly
Many might say that by posting this publicly, I encourage even more spam on Google Maps. This is partially true. However, spam on Google Maps is and has been proliferating. Many spammers that have financial interests in such tactics already either know about the exploit, or pay others who know about it to do it for them.
Additionally, this exploit has been around for very long time, just in different forms. The main goal here is to get a listing with a phone number you have access to up on Google Maps. Once you do this, Google would allow you to use phone verification to claim the listing and the rest is easy work. In the past, it was easier to get a fake listing up – a simple Maps community edit was sufficient. From this point of view, Google’s Maps-related user-generated content policing has improved drastically. However, the loophole is still wide open.
My main purpose with this article is to “make noise” around the issue because, as it has been proven in the past, this seems to be the only way to make Google pay closer attention to an issue. Here are some ideas on what Google could do to reduce as much as possible the opportunities for exploits of such kind:
- Never offer phone verification the first time when a listing is claimed.
- Remove all listings at addresses that are virtual offices from Google Maps.
- Include stricter verification requirements for listings created through UGC – for instance, require at least one additional hard-to-fake verifiable supporting evidence (registration with government institution that has public record with business information, local business chamber registration, listing on Localeze (requires payment), or Acxiom (requires document verification), document related to the business on which all the business information is visible (similar to Acxiom’s verification method)).
- Stricter checks on the users that submit user-generated content through Map Maker and restrictions based on number of edits or reviews on Map Maker – a great example in this regard is Waze, which allows you to edit only certain areas of the map (where you have passed through), and the areas expand based on your activity on Waze.
Do you think Google should pay more attention to such issues? How do you think they should resolve this loophole?