Google Maps: Widespread Hijacking of Business Listings Confirmed

Late last week, the widespread highjacking of business listings in the florist industry for the purpose of affiliate mapspam was reported, confirmed and documented. There had been rumors for several months in the groups of these hijackings but specifics had been difficult to come by.

According to the Real Florists Blog by FlowerChat Blog the hijackings affected some of the “most respected florists in the US – including Lehrer’s and Veldkamp’s of Denver,Podesta Baldocchi and Church Street Flowers of San Francisco, Starbright Floral Designof New York City, Phoenix Flower Shops and numerous other major city floral operations.”

The technique, apparently in widespread use in the Locksmith, PayDay Loan and other industries, exploited weaknesses in Google’s User Edit capability. I had previously reported on PayDay Loan user edit abuses. In this newly reported case in the floral industry, Affiliate Mapspamers would target high ranking florists in major markets that had NOT CLAIMED their business listings in the Local Business Center so as to be able to benefit from an existing business’ ranking and reviews.

The spammers, using the end user edit tools, would change the phone number to another local number, change the location of the business slightly and then proceed to add a category, the URL and ultimately the name of the business. Apparently the small move in location convinced Google’s system that all subsequent changes were legitimate. The listing would retain the ranking and reviews of the actual business but redirect to a Canadian Florist fulfillment house via the affiliate’s website.

Some florists have succeeded in cleaning and claiming their listings but not all. In conversations with folks in the Florist industry, the many independant florists were in tears over the incidents and the attendant loss of sales. All were totally unaware that it had been necessary for them to claim their listings.

Please consider leaving a comment as your input will help me (& everyone else) better understand and learn about local.
Google Maps: Widespread Hijacking of Business Listings Confirmed by

33 thoughts on “Google Maps: Widespread Hijacking of Business Listings Confirmed”

  1. Wow:

    That smells of criminality. I’d have an attorney look into it. On the other hand it opens a wide door for further such actions.

    Google better clamp down on this ASAP!!!

  2. Hi Dave

    For me, it doesn’t just smack of is. If I were Google I would alert federal authorities. If I were the florists I would sue the 800-Florist folks for any income that they received.


  3. “All were totally unaware that it had been necessary for them to claim their listings.”

    And that makes clear the reason for you (and any of us) to keep blogging about this stuff, Mike. The fact that this could happen to people who don’t even understand that their information is in Google’s index and that they’ve got to go claim it makes Google somewhat party to the damages the florists have suffered, it seems to me. Because the business owners are unaware of what is going on, it’s as though circumstances beyond their control are now exerting massive influence over their survival. If Google has no plan for effectively letting SMBs know that their data has been indexed and is subject to sabotage, I guess that leaves it up to Mike to tell the world, as best he can.

    There’s something very weird about that, isn’t there?

    Thanks for reporting on this.

  4. @Mike

    sue the 800-folks sounds a bit strange to me, because it was their affiliates, that were using their affiliate program doing the map spam, not themselves. They guys doing the map spam receive the commissions per lead or even per click. As from what I could tell from one of the comments of the 800 people (on the florist blog where jen also responded) they weren’t aware of this, stopped all the affiliate programs with those users and now their reputation ends up being damaged.

    Although I do think the 800-florist should somehow disclose who did it so necessary actions can be taken. But my guess is that this will all be too complicated.

  5. @Matijn

    I agree that the affiliates are the ones initiating the criminal activity. But they have been aided by two parties, Google and the 800 Florist.

    My thinking on the 800 folks is not that their behavior is necessarily criminal but that they should return to the florists any ill-gotten gains that they have received from this project. If they refused to do so willingly then I would pursue it with a civil action.

    If I were them I would also contact the authorities to report the activity of the affiliate spammers.

    If a person buys stolen goods from a thief and they are found out, the goods are returned to the original owner and the purchaser is out the money.

    To me that is analogous to the 800 Florist folks in this situation. They have received benefits due to an illegal activity of a 3rd party. Those benefits should be returned to the rightful beneficiaries.

    I do not believe that our industry should accept this type of activity on any level and when the seriousness of the offense rises to this level, we should support any and every legal remedy available.


    When the activity jumped in the groups with postings from Locksmiths, I had a number of emails with one of them to ascertain that the record he asserted had been hijacked had in fact been claimed in the LBC. He and I were communicating on two different planes and after about a week of emails I gave up. He could never confirm to my satisfaction that he had in fact claimed it despite his contention otherwise. My sense is that he logged into to Google, made user edits, saw other user edits and that he thought he had done what he needed to do.

    Obviously any system (Google Maps) that requires 12 million small businesses to log into to Google so as to offer security has structural issues.


    PS Glad to have my css back too, makes it feel like home although still some dust to clean up. When our servers experienced problems, customer data received priority over mine.

  6. I am with Miram on this, and maybe a step further. Google has taken it upon themselves to start listing businesses, without any fact checking, then claim to be the place or are the place that people gravitate towards for their search information, I know I keep beating this horse, but the UA/Tribune/Google mess from erogenous news posted by Google as current caused a MAJOR loss to the shocking tune of $1 billion!!! Google allowing hijacking of business listings is the same accountability issue. I think oversight is going to be needed. How long does the 800 lb gorilla get to run free, shouting it’s all for the user experience when in reality the user has been duped.

    I am growing tired and weary of Google, I am close to tossing my gmail, and use of Google search out (except for client required work) and using the alternative, Yahoo/MSN together.

    Accountability, it’s what you do when you are an adult, so time for Google to grow-up…

  7. Hi David

    Google certainly has a huge amount of culpability here on both the technical and ethical side. They have so many lawyers you would need another roomful to determine if in fact they have any actual legal liability.

    This situation was predictable, reported to them earlier and totally avoidable with some coding and budget for staff. They chose neither. Despite myths otherwise the market will not likely punish them for these decisions.


  8. As someone who is tightly knit with this issue in reviewing how this was done, if there is any wrongdoing for civil action, firstly, I would suggest that those companies who broker and support the affiliate systems, such as Neverblue, Commission Junction (, Linkshare and others would be it. For one, affiliate marketing is built through programs by and others, and often not the site itself. There was confirmation from one of the florists’ who spoke with 800 that they had a campaign. There wasn’t enough QA by in this case. Secondly, Google needs to take responsibility for this and clean it up, QUICKLY. Their (in)action so far in many cases shows that it’s not as nimble to fix an issue, even after repeated steps to correct it and bring it to their attention.

  9. @ JB

    I forgot about the affiliate system themselves and their responsibility for due diligence. Great point!

    I by no means am letting Google off the hook, there performance in this issue has been abysmal. They certainly bear technical and ethical responsibility if not legal obligations in this case.


  10. Mike,

    Once again, thank you for your great advice and for your coverage of this hijacking issue.

    You said:
    “My thinking on the 800 folks is not that their behavior is necessarily criminal but that they should return to the florists any ill-gotten gains that they have received from this project. ”

    I suggested both affiliate resellers donate the proceeds from the hijacks to the non-profit Flowers For Kids project which helps educate elementary school students about flowers. There’s been no response.

    Once aware of the hijacks, there’s no reason why the resellers couldn’t have put up error pages to stop consumers from ordering via the redirects.

    Whether cut off from commissions or not, those redirected affiliate links were still working last night. One was through CJ but the other was self-administered by the reseller. (Today the redirecting pages, and, are both displaying security certificate warnings for me.)

    Glancing at the user logs of the spammers, it’s clear hijackings are happening to many different types of companies, and not just to SMB. I spotted affiliate replacements for a local Pier 1 and a CitiBank branch. Seems any company whose business type includes affiliates (even tangentially) is a target.

    It will be interesting to see what Google does with the sock puppet user IDs. They clearly leave a trail of destroyed local listings. Once can only hope the other businesses get reverted, too and that the user IDs are banned and the phony reviews deleted.

    As flawed as G’s community edit filters are/were, the Local world gets far better exposure today than it did before Local/Maps and the Three/Ten Boxes.

    I’m seeing many more florists’ listings repaired today – and that’s the swiftest response I can ever recall. Let’s hope it’s a pattern and not the exception.


  11. Hi Cathy

    Thanks for the great follow up. It seems that is redirecting to a company called Modern Engineering Inc( ) whioch appears to be a technology firm for manufacturers. A rogue employee?

    Just a thought for the florist’s: as an idea to keep & the other affiliate in the limelight until they respond with more than platitudes.


  12. I just wanted to throw out a huge and most grafteful ” Thank You” to Mike for putting this issue at the forefront of his blog. When this information was brought to our attention a great many folks reached out to us like JB and Cathy.

    I am not sure how or when Google will get the 10 pack listing resolved but we hope it will not take 4-6 weeks as it is truly affecting our business. It is our goal to bring those involved in these hijackings against legitimate operators to be brought to justice!

    Please let us know if you hear anything new and again -thank you!


  13. Allmost all of my 10 box listings was hijacked by another locksmith.
    Haw can he do that?
    Claiming a listing can be done eather by mail or phone.
    He have to change the phone in order to claim my listing. From my epirience you cant change a phone with out verify it by phone first and entering the code.

    I reported it to Google and it looks like they “cleaned” some of this locksmiths listings.

  14. Hi Tom

    I have not seen your examples. Are there some still there to be looked at?

    In every example of hijacking I had seen, the listings had not been claimed in the Local Business Center.

    Please send me any examples of hijackings that you know of that appear to have been “stolen” from a listing that had been confirmed in the Local Business Center. would love to look at.


  15. I have found numerous phony locksmith postings. Search the web for “phoenix locksmith” and of the current top 10 listing that show up in maps listings at the top of the page, 7 are of the same company (using two web addresses) and all locations are phony. A second company also lists a phony location making 8 of the top 10 bogus. The other two may be as well, but I have not yet invetigated them.

  16. Wow, I’ve seen a lot of techno chatter back and forth on this in a lot of places.

    I work for the largest locksmith in the US and have been doing research for the Associated Locksmiths of America on this issue.

    I saw reports saying that Googles algorythm was being overzealous etc but most of all this is nonsense.

    The problem is just a bug. If you go into any listing, regardless if it is claimed or not and make numerous changes to the phone number and he address it will get to the point where it will only offer you a phone verification with THE NEW NUMBER that you just changed it tOO!

    Locksmith Scammers have started doing this in mass to local locksmiths in the past couple of months very effectivley.

    THIS IS JUST A BUG THAT GOOGLE NEEDS TO FIX. If a phone number is changed…don’t use the new phone number for verification of the changes DUH. I can’t believe this simple bug exist.

  17. In Australia, you got to see “driving lessons” market. There is so much spam going on there. 2 companies are fighting it out and Google don’t do anything about it. You think if they had a look, that they would see how much spamming is happening. Mike, can you show me if there is a way to “flag” a local listing for Google to manually check?

    1. Matt
      The “report a problem” link on the Places page or the info bubble is the best way to get someone to take a look..

  18. Robert is right most of this companys are the same whan u try to Find a locksmith u gating the same price …
    and the Record is the same

  19. Don’t bother reporting a problem. Google never responds and on the rare occasion that they do, they are completely useless. I have been trying to cvonvince Google Places to give me back control of the Places listing for one of my sites for almost half a year and have provided proof that the site is mine. The best answer they could provide was that I have to convince the hijacker to give me back control …. lol.

    There is a pretty simple solution to Google Places (Local Listings) hijacking which is extremely common and causing substantial financial losses for many business owners. Google just has to cross reference listing claims against WHOIS records. I know some people will bring up private listings but no reputable company will care if people find out who is behind their site. A simple confirmation e-mail sent to the admin contact on file with the registrar of the site will solve all problems. Why Google wouldn’t do this is bizarre and just plain stupid.

    If anyone knows any solutions to regaining control of hijacked listings, please advise.

    mattguest72 at

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments links could be nofollow free.