Google has recently informed me that the vulnerability that has led to the hijacking of claimed listings has been fixed and that business listings that have been claimed can no longer be compromised.
The hijackings, common in the Locksmith business, were first reported very early last summer and fall. There have been numerous reports as recently as Feb. 11th in the Help Groups. The legitimate records took on the appearance of merged records showing multiple phone numbers and the url of the black hat Locksmith. The “bad” phone number often displaying first and showing in the Local 10 Pack.
Google, is not going back and identifying hijacked records nor proactively repairing them. If a particular record has been hijacked, the business must notify Google through the groups for the bad data to be removed.
In September and October, I received several emails from Search Marketers serving the Locksmith industry that claimed that it was possible for claimed listings to be compromised. In the absence of technique and proof, I wrote (erroneously) at the time that it did not seem likely and that it was more likely that the blackhats were simply using the community edit feature (wrong).
However in mid December, one of the Locksmith SEM’s provided both specific techniques and concrete proof of the vulnerability. At that time, the information was forwarded to Google. It is likely that Google had knowledge of the exploit well prior to that point.
The hack was simplicity itself and seemed to exploit the same flaw that causes the merged record problem. The “blackhat” would create, in their Local Business Center account, a new local business listing with exactly the same information as an existing Locksmith with a high Local 10 Pack standing. The fields would be identical to the legitimate listing with the exception of a different phone number which Google would verify against. Once the new record was validated, the content would merge with the other data in the cluster but take precedence as the most recent. Once the record was secure in the wrong LBC account, the URL could then be changed.
When asked what a business owner who suspected his record had been hijacked should do, Google noted:
“Basically we’d tell users to make sure that they have one and only one correct, up-to-date, verified listing in their account that is not rejected for content problems. If they think that their listing falls into the “hijacking” bucket, they should let us know in the help forum.”
“I’d just be cautious to really delineate what types of listings this situation applies to. I am worried that people who are seeing third-party provided data are going to think this is them, and if that’s the case then all we’ll do is send them to the Local Business Center.”Google: Claimed Business Records No Longer Can be Hijacked by Mike Blumenthal