Google has recently informed me that the vulnerability that has led to the hijacking of claimed listings has been fixed and that business listings that have been claimed can no longer be compromised.
The hijackings, common in the Locksmith business, were first reported very early last summer and fall. There have been numerous reports as recently as Feb. 11th in the Help Groups. The legitimate records took on the appearance of merged records showing multiple phone numbers and the url of the black hat Locksmith. The “bad” phone number often displaying first and showing in the Local 10 Pack.
Google, is not going back and identifying hijacked records nor proactively repairing them. If a particular record has been hijacked, the business must notify Google through the groups for the bad data to be removed.
In September and October, I received several emails from Search Marketers serving the Locksmith industry that claimed that it was possible for claimed listings to be compromised. In the absence of technique and proof, I wrote (erroneously) at the time that it did not seem likely and that it was more likely that the blackhats were simply using the community edit feature (wrong).
However in mid December, one of the Locksmith SEM’s provided both specific techniques and concrete proof of the vulnerability. At that time, the information was forwarded to Google. It is likely that Google had knowledge of the exploit well prior to that point.
The hack was simplicity itself and seemed to exploit the same flaw that causes the merged record problem. The “blackhat” would create, in their Local Business Center account, a new local business listing with exactly the same information as an existing Locksmith with a high Local 10 Pack standing. The fields would be identical to the legitimate listing with the exception of a different phone number which Google would verify against. Once the new record was validated, the content would merge with the other data in the cluster but take precedence as the most recent. Once the record was secure in the wrong LBC account, the URL could then be changed.
When asked what a business owner who suspected his record had been hijacked should do, Google noted:
“Basically we’d tell users to make sure that they have one and only one correct, up-to-date, verified listing in their account that is not rejected for content problems. If they think that their listing falls into the “hijacking” bucket, they should let us know in the help forum.”
“I’d just be cautious to really delineate what types of listings this situation applies to. I am worried that people who are seeing third-party provided data are going to think this is them, and if that’s the case then all we’ll do is send them to the Local Business Center.”
This is an extremely revealing post. I certainly hope this signals that hijacking is stopped….but it suggests that there could be an infinite variety of opportunities for enterprising “blackhatters” and businesses. In that vein I can only hope that should there be a rash of hijakings of one sort or another google is quick to remedy.
As described above it would seem Google owes a greater level of responsiveness in the event of problems:
1. Google is the de facto source of information
2. Google created the local business center thereby creating opportunities for businesses and for hackers/(thieves)
3. Google highlights the visibility of this information by propagating Google Maps info into organic searches through universal search.
If hijacking of this sort or alternatives expand….google is “aiding and abetting” the hijackers.
Hopefully the hijacking problem has been fixed.
Dave
Comment by Earlpearl (384 comments) — February 13, 2009 @ 1:28 pm
I’m glad to see Google finally did something about this. Hijacking a businesses actual business listing could be very harmful to that business.
Comment by Nick Stamoulis (7 comments) — February 13, 2009 @ 3:18 pm
Mike,
I’ve read this twice and am left with the question, “how has this been fixed?” What is different? What can Google have implemented to prevent a hijacker from currently creating a second listing and taking the locksmith approach? Where is the step in all of this that would now prevent this from happening? Did the Google rep explain? I’m fascinated.
Miriam
Comment by MiriamEllis (362 comments) — February 13, 2009 @ 6:07 pm
This whole process continues to morph- now porn what else will come next?
Great post Mike!
Comment by Marc (14 comments) — February 14, 2009 @ 11:37 am
I doubt that is the “fix” that will prevent compromising of business listings. There are several pathways that could lead to invalid information taking precedence over correct data in a Google Maps business listing. The means by which local search engines such as Google obtain information allow for some chances of inaccurate or manipulated information.
GLBC has countermeasures to prevent mis-information and invalid registration such as requiring postcard only validation for records with modified phone numbers. This is yet another arrow in the quiver and more are sure to come. The problem of invalid or hijacked listings will continue to surface just as spam arrives to our mailboxes.
Nevertheless, is it good that Google is taking action to validate the copious amounts of local information that they obtain. I just hope that this last change doesn’t stifle our ability to rapidly submit business listings.
David Rodecker
Founder & CTO, RelevantAds
“getting local business online”
Comment by David Rodecker (6 comments) — February 15, 2009 @ 8:30 pm
If a listing on a 3 pack or a 10 pack is not associated with a website… it’s most likely derived from yellow pages advertising and so forth. That’s the type of local maps listing that would be easy to poach but the key to all this is that the website has to be verified in WebMaster Tools right? So you have to find a root directory of a target site that you can write a new verification.html file to… or you have to write the v1 meta string in the head section of the index page. If Google was allowing listings to be updated to new Local Business (Maps) accounts without requiring the corresponding WebMaster Tools account to physically verify the site, that’s gross negligence. Is that the case? Regards,
Comment by Mal (3 comments) — February 16, 2009 @ 3:29 am
@Mal
Google has never required website verification for Local via the Webmaster tools or other methods. Once the business has been verified via postcard or phone call, the owner of the verified record has been entitled to change any attritubte. Occasionally these changes would require a reverification but not always.
so while unclaimed records that came to Google via some third party were the easiest to poach, this case was poaching of records that had been verified by the most rigorous means provided by Google, the LBC.
@Miriam
I think, as noted by David, that the phone number when changed will require a postcard validation….I haven’t tried this to be sure. But as he notes, this is not the end of hijackings….stakes are high and the pressure to make it easy on the part of Google creates a tension that is not easily resolved
Mike
Comment by Mike (1029 comments) — February 16, 2009 @ 10:07 am
Excellent work Mike!
Comment by Rob (31 comments) — February 16, 2009 @ 3:30 pm
Thanks, Dave & Mike, for further explaining this.
A postcard. Well, it will be slow…but it could help somewhat. I’m glad Google is trying something new in an effort to address this problem.
Comment by MiriamEllis (362 comments) — February 17, 2009 @ 6:05 pm
[...] a locksmith internet marketer that has shared Google Maps blackhat techniques with me, recently posted this into Google Maps Help Forum: So Maps [...]
Pingback by My “Deep Throat” Gets Banned, Goes Public » Understanding Google Maps & Yahoo Local Search — February 21, 2009 @ 10:37 am
[...] Locksmiths are a little hard to love. They aren’t Mom and Apple Pie, they aren’t florists who we can all identify with when things go wrong. The industry is hypercomptetive and they have been at the forefront of cracking all sorts of locks, unfortunately not always the ones that they should be cracking. They were early into blackhat reviews, one of the dominant sources of bulk upload spam and were first to the party in compromising the records claimed in the Local Business Center. [...]
Pingback by Google Maps vs Locksmith Spammers: Spammers winning? » Understanding Google Maps & Yahoo Local Search — February 25, 2009 @ 8:33 am
[...] started flowing into Google support groups about hijackings of claimed listings. In December, I communicated to Google a method by which “blackhat” locksmiths were hijacking business records [...]
Pingback by Google Maps LBC: Claimed Business Listings Still Being Hijacked? » Understanding Google Maps & Yahoo Local Search — March 10, 2009 @ 12:26 pm
[...] Hijacked Google local listings is something Mike Blumenthal has reported on a number of times. The issue is different but related to the one I’ve brought up above. However what’s really troubling is how Google appears to be not addressing the issue. In his March 10th post Mike drew a big old red arrow on a screen shot that shows 24×7locallocksmith.com hijacked a hotel listing. Today while researching this post I looked at locksmith listings for NYC and guess what I found. [...]
Pingback by Locksmiths Crack Google Local — March 14, 2009 @ 9:07 pm
[...] question. Has Google really fixed the problem if the many records that flowed into Maps via the hack are still there? « Google Maps: Will More Fully Integrated User Created Content Generate [...]
Pingback by The Plaza Hotel is Mapjacked » Understanding Google Maps & Yahoo Local Search — March 16, 2009 @ 9:31 pm
[...] Comments The Plaza Hotel is Mapjacked » Understanding Google Maps & Yahoo Local Search on Google: Claimed Business Records No Longer Can be HijackedThe Plaza Hotel is Mapjacked » Understanding Google Maps & Yahoo Local Search on Google [...]
Pingback by Google Maps: Cleaning up the Index » Understanding Google Maps & Yahoo Local Search — March 17, 2009 @ 8:57 am
For Google to say that they’ve come anywhere near to fixing the hijacking issue – especially of “claimed” business listings – is a farce.
Locksmiths continue to take listings of popular restaurants and hotels across the USA. I was in San Antonio a couple weeks ago, did a search for “restaurants san antonio” and reached a locksmith when I called the listed number.
I’ve been working closely with more and more businesses who are experiencing this problem – even when they claim the listing.
The technique for hijacking is stupid-simple. I won’t post it for that reason. But the fact that these loopholes exist is a serious concern that has caused some to put together class action lawsuits.
Comment by Nathan (2 comments) — April 14, 2009 @ 6:22 pm
Google’s definition of fixed is that it can not happen via this exact same vector going forward. They, for whatever reason, do not perceive cleaning up the detritus from these exploits part of their definition of the word fix. So while they are technically correct and they have probably patched the hole,
I am with you…when the plumbing breaks the job entails more than just patching the pipe from the toilet….you need to clean up the mess that was created. For whatever reason, Google doesn’t see it that way.
Comment by Mike (1029 comments) — April 14, 2009 @ 8:05 pm
Hi, my Google local listing in the UK has been highjacked, it is showing our competitor address, website, still our phone number for some reasons, and other details like reviews, etc have merged. What can I do to fix this? I have had this once before, I have gone to my Local Listing and simply edited a little bit of something, and went back to normal after a few days. Moreover I read on another post that in order to change business name, one has to write to google with some proof, and the post suggests getting some business cards printed as proof, and send them to Google. This is really mean and disgusting. Anyway, what do you suggest I do? Many thanks.
Comment by Dan (10 comments) — April 18, 2009 @ 8:47 am
I am curious when the listing was changed? Do you know exactly when it started? Could you send me the exact details of your listing and which components are yours and which not?
I am not sure that Google requires much proof of anything other than the postcard or phone validation method. What post are you referring to?
If two records in Google become merged either by google’s error or via hijacking the only solution is to contact Google via their forums and seek their help.
Comment by Mike (1029 comments) — April 18, 2009 @ 5:12 pm
Hey mike my local listings on googal finally came back after a month
What do you think i did rong for it to disapeer like that.
thanks
Comment by karim iraqi (4 comments) — April 20, 2009 @ 12:35 pm
I don’t think that you did anything wrong. I think that Google had a bug
Comment by Mike (1029 comments) — April 20, 2009 @ 1:04 pm
Hi Mike,
yes basically someone keep creating a listing with the exact business name as mine, verify it somehow, and then it gets published as being the newest one. When I go and edit the details in my listing, after a few hours mine reappears as it is the latest edit.
For some reason if two local listings bear the same name, Google ends up merging them. Now, nothing is stopping my competitor to edit it back so his is the most recent and it s a constant cat and mouse…
See this posting that explains exactly the technique:
http://blumenthals.com/blog/2009/02/13/google-claimed-business-records-no-longer-can-be-hijacked/
I have tried to call Google or email them, but they do not seem to have an email.
Where is the exact Forum for these things I should contact Google for?
Thanks, and I would appreciate your comment on the whole issue.
Comment by Dan (10 comments) — April 21, 2009 @ 7:23 am
Sorry how stupid, I am referring to the page above !
Yes so basically they are creating a new listing and it merges, like you suggest above…
Comment by Dan (10 comments) — April 21, 2009 @ 7:24 am
Before you go to the (Help Forum for Business Owners), I would love o take a look at the record and talk to you about timelines and interventions that you have made.
Mike
Comment by Mike (1029 comments) — April 21, 2009 @ 7:54 am
Mike, can you email me privately? Or can I email you? I don’t want to put this all over the web, I am not comfortable with that. I hope this is ok.
Dan
Comment by Dan (10 comments) — April 21, 2009 @ 8:03 am
email me mike@blumenthals.com
Comment by Mike (1029 comments) — April 21, 2009 @ 11:41 am
[...] of legitimately claimed LBC listings being hijacked in Google Maps. The reports (here, here, here & here) all follow the hijacking pattern that Locksmith widely suffered during the second half [...]
Pingback by Google Maps: Upsurge in reports of Map Hijackings/Merges » Understanding Google Maps & Yahoo Local Search — April 21, 2009 @ 1:46 pm
I read your article, above. It does seem to be what has happened to us, i.e., the merging of phone numbers and other data. I received a suggestion that I make a minor change or two and update the publishing, wait a few hours and see what happens. I’m still curious how they redirected my website url to theirs and, how it took the place of mine. I just hope we get it solved soon. I’m getting phone calls for them! Thanks.
Comment by Ben (3 comments) — April 21, 2009 @ 4:03 pm
@Ben
If yours is the same issue then the sequence would be as follows:
1)You create or claim a record in Google Maps, make edits and then forget about it
2)The, at some later point, create an exact duplicate record with the exception of the phone and verify
3)Their record then in roughly 6 to 8 weeks gets merged into the visibile Maps record and becomes the current, authoritative record
4)At that point they can then change anything they want including the URL
I would caution that while your record has a lot in common with the above, Google claims to have fixed that hole. Which begs another question, what did happen? Keep your ear to the ground and keep pinging your post at the forum and maybe we will find out. I wrote a new post today about this issue so maybe someone can shed more light on it.
Comment by Mike (1029 comments) — April 21, 2009 @ 6:49 pm
If yours is the same issue then the sequence would be as follows:
1)You create or claim a record in Google Maps, make edits and then forget about it
2)The, at some later point, create an exact duplicate record with the exception of the phone and verify
3)Their record then in roughly 6 to 8 weeks gets merged into the visibile Maps record and becomes the current, authoritative record
4)At that point they can then change anything they want including the URL
Comment by Mike (1029 comments) — April 21, 2009 @ 6:53 pm
Same issue here, our business was hijacked as well. Suddenly we had a link to our competitor. We claimed the link and updated the info. After a day or so everything was OK. Then after a few days our link was replaced by a link to http://www.tripadvisor.com with restaurant reviews. We changed it back an hour ago but it seems that there is no protection against this.
Search for : Banh Thai Fremont to see what we are talking about.
Comment by Cary (1 comments) — April 24, 2009 @ 9:38 pm
I recently submitted a Google Local business Listing for a Portuguese client; local business results are relatively new in google.pt. The business listing was for a car hire company based at Faro Airport. After a couple of weeks of the listing showing up OK, I noticed that it had been merged with another older listing sharing the same physical address: namely the Airport arrivals lounge. This shows that the bug (at least in google.pt) still exists…
Comment by Algarve (1 comments) — August 7, 2009 @ 5:14 pm
Google did not fix the hijacking problem,do not let anyone fool you.
I am a locksmith is South Florida,and I have had a few of my local listings hijacked and phone numbers changed and website address changed.
Spamming and hijacking here is a big problem.
I wish they would do aeay with the Local Business Center,I would be better off.
Dates of offences were in May and June of 2009 so it is still happening.
Comment by Chuck (6 comments) — August 25, 2009 @ 7:47 pm
@Chuck
I would love to hear more about your story…either here or offline (mike@blumenthals.com)…is it still hijacked? any idea technique? Was Google helpful in squaring away?
Comment by Mike (1029 comments) — August 26, 2009 @ 7:49 am
Well it seems here in the UK we just have a corrupted LBC and maps database. When I checked today I was suprised to find that we had moved! Name, telephone, hours and position on the map is correct but the address and post (zip) code is for a bussiness in a different industry 25 miles away. I would have thought that the system would have some sort of automatic check which prevented an address being entered for a business location that was more than 50 metres from its shown location on google maps.
Comment by Nigel Palmer (2 comments) — October 10, 2009 @ 3:26 pm
@Nigel
You might want to read Six reasons why your listing might “go South” & some tips to cope if you haven’t already.
Comment by Mike (1029 comments) — October 17, 2009 @ 9:37 am
What is going on with the Locals now it is not much better at all. real business like mine ads have just diapered then the business at position 1. there web page is down, number dosn’t work, and Id bet that they are using a fake address. and a real business with a real address is gone for good does google even care if its like there adwords and click fraud they don’t
Comment by Hector (2 comments) — January 22, 2010 @ 11:19 pm