Google: Claimed Business Records No Longer Can be Hijacked

Google has recently informed me that the vulnerability that has led to the hijacking of claimed listings has been fixed and that business listings that have been claimed can no longer be compromised.

The hijackings, common in the Locksmith business, were first reported very early last summer and fall. There have been numerous reports as recently as Feb. 11th in the Help Groups. The legitimate records took on the appearance of merged records showing multiple phone numbers and the url of the black hat Locksmith. The “bad” phone number often displaying first and showing in the Local 10 Pack.

Google, is not going back and identifying hijacked records nor proactively repairing them. If a particular record has been hijacked, the business must notify Google through the groups for the bad data to be removed.

In September and October, I received several emails from Search Marketers serving the Locksmith industry that claimed that it was possible for claimed listings to be compromised. In the absence of technique and proof, I wrote (erroneously) at the time that it did not seem likely and that it was more likely that the blackhats were simply using the community edit feature (wrong).

However in mid December, one of the Locksmith SEM’s provided both specific techniques and concrete proof of the vulnerability. At that time, the information was forwarded to Google. It is likely that Google had knowledge of the exploit well prior to that point.

The hack was simplicity itself and seemed to exploit the same flaw that causes the merged record problem. The “blackhat” would create, in their Local Business Center account, a new local business listing with exactly the same information as an existing Locksmith with a high Local 10 Pack standing. The fields would be identical to the legitimate listing with the exception of a different phone number which Google would verify against. Once the new record was validated, the content would merge with the other data in the cluster but take precedence as the most recent. Once the record was secure in the wrong LBC account, the URL could then be changed.

When asked what a business owner who suspected his record had been hijacked should do, Google noted:

“Basically we’d tell users to make sure that they have one and only one correct, up-to-date, verified listing in their account that is not rejected for content problems. If they think that their listing falls into the “hijacking” bucket, they should let us know in the help forum.”

“I’d just be cautious to really delineate what types of listings this situation applies to. I am worried that people who are seeing third-party provided data are going to think this is them, and if that’s the case then all we’ll do is send them to the Local Business Center.”

Please consider leaving a comment as your input will help me (& everyone else) better understand and learn about local.
Google: Claimed Business Records No Longer Can be Hijacked by

44 thoughts on “Google: Claimed Business Records No Longer Can be Hijacked”

  1. This is an extremely revealing post. I certainly hope this signals that hijacking is stopped….but it suggests that there could be an infinite variety of opportunities for enterprising “blackhatters” and businesses. In that vein I can only hope that should there be a rash of hijakings of one sort or another google is quick to remedy.

    As described above it would seem Google owes a greater level of responsiveness in the event of problems:

    1. Google is the de facto source of information
    2. Google created the local business center thereby creating opportunities for businesses and for hackers/(thieves)
    3. Google highlights the visibility of this information by propagating Google Maps info into organic searches through universal search.

    If hijacking of this sort or alternatives expand….google is “aiding and abetting” the hijackers.

    Hopefully the hijacking problem has been fixed.

    Dave

  2. Mike,
    I’ve read this twice and am left with the question, “how has this been fixed?” What is different? What can Google have implemented to prevent a hijacker from currently creating a second listing and taking the locksmith approach? Where is the step in all of this that would now prevent this from happening? Did the Google rep explain? I’m fascinated.

    Miriam

  3. I doubt that is the “fix” that will prevent compromising of business listings. There are several pathways that could lead to invalid information taking precedence over correct data in a Google Maps business listing. The means by which local search engines such as Google obtain information allow for some chances of inaccurate or manipulated information.

    GLBC has countermeasures to prevent mis-information and invalid registration such as requiring postcard only validation for records with modified phone numbers. This is yet another arrow in the quiver and more are sure to come. The problem of invalid or hijacked listings will continue to surface just as spam arrives to our mailboxes.

    Nevertheless, is it good that Google is taking action to validate the copious amounts of local information that they obtain. I just hope that this last change doesn’t stifle our ability to rapidly submit business listings.

    David Rodecker
    Founder & CTO, RelevantAds
    “getting local business online”

  4. If a listing on a 3 pack or a 10 pack is not associated with a website… it’s most likely derived from yellow pages advertising and so forth. That’s the type of local maps listing that would be easy to poach but the key to all this is that the website has to be verified in WebMaster Tools right? So you have to find a root directory of a target site that you can write a new verification.html file to… or you have to write the v1 meta string in the head section of the index page. If Google was allowing listings to be updated to new Local Business (Maps) accounts without requiring the corresponding WebMaster Tools account to physically verify the site, that’s gross negligence. Is that the case? Regards,

  5. @Mal
    Google has never required website verification for Local via the Webmaster tools or other methods. Once the business has been verified via postcard or phone call, the owner of the verified record has been entitled to change any attritubte. Occasionally these changes would require a reverification but not always.

    so while unclaimed records that came to Google via some third party were the easiest to poach, this case was poaching of records that had been verified by the most rigorous means provided by Google, the LBC.

    @Miriam
    I think, as noted by David, that the phone number when changed will require a postcard validation….I haven’t tried this to be sure. But as he notes, this is not the end of hijackings….stakes are high and the pressure to make it easy on the part of Google creates a tension that is not easily resolved

    Mike

  6. Thanks, Dave & Mike, for further explaining this.

    A postcard. Well, it will be slow…but it could help somewhat. I’m glad Google is trying something new in an effort to address this problem.

  7. For Google to say that they’ve come anywhere near to fixing the hijacking issue – especially of “claimed” business listings – is a farce.

    Locksmiths continue to take listings of popular restaurants and hotels across the USA. I was in San Antonio a couple weeks ago, did a search for “restaurants san antonio” and reached a locksmith when I called the listed number.

    I’ve been working closely with more and more businesses who are experiencing this problem – even when they claim the listing.

    The technique for hijacking is stupid-simple. I won’t post it for that reason. But the fact that these loopholes exist is a serious concern that has caused some to put together class action lawsuits.

  8. Google’s definition of fixed is that it can not happen via this exact same vector going forward. They, for whatever reason, do not perceive cleaning up the detritus from these exploits part of their definition of the word fix. So while they are technically correct and they have probably patched the hole,

    I am with you…when the plumbing breaks the job entails more than just patching the pipe from the toilet….you need to clean up the mess that was created. For whatever reason, Google doesn’t see it that way.

  9. Hi, my Google local listing in the UK has been highjacked, it is showing our competitor address, website, still our phone number for some reasons, and other details like reviews, etc have merged. What can I do to fix this? I have had this once before, I have gone to my Local Listing and simply edited a little bit of something, and went back to normal after a few days. Moreover I read on another post that in order to change business name, one has to write to google with some proof, and the post suggests getting some business cards printed as proof, and send them to Google. This is really mean and disgusting. Anyway, what do you suggest I do? Many thanks.

  10. I am curious when the listing was changed? Do you know exactly when it started? Could you send me the exact details of your listing and which components are yours and which not?

    I am not sure that Google requires much proof of anything other than the postcard or phone validation method. What post are you referring to?

    If two records in Google become merged either by google’s error or via hijacking the only solution is to contact Google via their forums and seek their help.

  11. Hi Mike,

    yes basically someone keep creating a listing with the exact business name as mine, verify it somehow, and then it gets published as being the newest one. When I go and edit the details in my listing, after a few hours mine reappears as it is the latest edit.

    For some reason if two local listings bear the same name, Google ends up merging them. Now, nothing is stopping my competitor to edit it back so his is the most recent and it s a constant cat and mouse…

    See this posting that explains exactly the technique:

    http://blumenthals.com/blog/2009/02/13/google-claimed-business-records-no-longer-can-be-hijacked/

    I have tried to call Google or email them, but they do not seem to have an email.

    Where is the exact Forum for these things I should contact Google for?

    Thanks, and I would appreciate your comment on the whole issue.

  12. Sorry how stupid, I am referring to the page above !

    Yes so basically they are creating a new listing and it merges, like you suggest above…

    :-(

  13. Mike, can you email me privately? Or can I email you? I don’t want to put this all over the web, I am not comfortable with that. I hope this is ok.

    Dan

  14. I read your article, above. It does seem to be what has happened to us, i.e., the merging of phone numbers and other data. I received a suggestion that I make a minor change or two and update the publishing, wait a few hours and see what happens. I’m still curious how they redirected my website url to theirs and, how it took the place of mine. I just hope we get it solved soon. I’m getting phone calls for them! Thanks.

  15. @Ben

    If yours is the same issue then the sequence would be as follows:

    1)You create or claim a record in Google Maps, make edits and then forget about it
    2)The, at some later point, create an exact duplicate record with the exception of the phone and verify
    3)Their record then in roughly 6 to 8 weeks gets merged into the visibile Maps record and becomes the current, authoritative record
    4)At that point they can then change anything they want including the URL

    I would caution that while your record has a lot in common with the above, Google claims to have fixed that hole. Which begs another question, what did happen? Keep your ear to the ground and keep pinging your post at the forum and maybe we will find out. I wrote a new post today about this issue so maybe someone can shed more light on it.

  16. If yours is the same issue then the sequence would be as follows:

    1)You create or claim a record in Google Maps, make edits and then forget about it
    2)The, at some later point, create an exact duplicate record with the exception of the phone and verify
    3)Their record then in roughly 6 to 8 weeks gets merged into the visibile Maps record and becomes the current, authoritative record
    4)At that point they can then change anything they want including the URL

  17. Same issue here, our business was hijacked as well. Suddenly we had a link to our competitor. We claimed the link and updated the info. After a day or so everything was OK. Then after a few days our link was replaced by a link to http://www.tripadvisor.com with restaurant reviews. We changed it back an hour ago but it seems that there is no protection against this.

    Search for : Banh Thai Fremont to see what we are talking about.

  18. I recently submitted a Google Local business Listing for a Portuguese client; local business results are relatively new in google.pt. The business listing was for a car hire company based at Faro Airport. After a couple of weeks of the listing showing up OK, I noticed that it had been merged with another older listing sharing the same physical address: namely the Airport arrivals lounge. This shows that the bug (at least in google.pt) still exists…

  19. Google did not fix the hijacking problem,do not let anyone fool you.
    I am a locksmith is South Florida,and I have had a few of my local listings hijacked and phone numbers changed and website address changed.
    Spamming and hijacking here is a big problem.
    I wish they would do aeay with the Local Business Center,I would be better off.

    Dates of offences were in May and June of 2009 so it is still happening.

  20. @Chuck

    I would love to hear more about your story…either here or offline (mike@blumenthals.com)…is it still hijacked? any idea technique? Was Google helpful in squaring away?

  21. Well it seems here in the UK we just have a corrupted LBC and maps database. When I checked today I was suprised to find that we had moved! Name, telephone, hours and position on the map is correct but the address and post (zip) code is for a bussiness in a different industry 25 miles away. I would have thought that the system would have some sort of automatic check which prevented an address being entered for a business location that was more than 50 metres from its shown location on google maps.

  22. What is going on with the Locals now it is not much better at all. real business like mine ads have just diapered then the business at position 1. there web page is down, number dosn’t work, and Id bet that they are using a fake address. and a real business with a real address is gone for good does google even care if its like there adwords and click fraud they don’t

  23. I dominated the google business listing for certain keywords and now my clients can hardly find me.
    I made all the necessary changes and abided by the gbl guidelines.
    No results.

  24. Hi Mike.
    I wanted to ask you if you could analyse my local business listing and give me your opinion because i used to dominate the search for a few key phrases and now i can only get listed in some of the poor searches.
    thanks a bunch.

  25. Here is another behavior I observed by accident.
    Claiming an unclaimed listing triggered a verification process using the postcard approach (phone number wasn’t offered for unknown reasons).
    The post card didn’t arrive for at least 4 weeks.

    After about a week the claimed business vanished from google maps altogether and appeared again after the pin code has been entered in the GLBC.

    Is this standard behavior? I hope not, since it would open the doors to any competitor to take businesses off the map.

    If this is not standard behavior, do you have an explanation?

    Thanks in advance

  26. @Uwe

    The reason that the phone number wasn’t offered was that Google did not have confidence it. Their first and least expensive choice is phone verification but after the locksmith scandals they stopped trusting every phone number in the world….

    I have not yet experienced the “blackout” but it is conceivable to me that a listing that is initially allowed into the index with “caveats” under some cloud of suspicion might move from one index to another or one status to another and not show up during that change process.

    Mike

  27. Mike, so you see a correlation between the phone verification not offered and the blackout then?

    I just had the same experience this week. This time the phone verification was offered but the receptionist on the phone receiving the verification call hung up twice, so I had to wait for my client to return to the business and receive the call (Google doesn’t even identify itself during the call, how nice!) . During that time the business vanished from Google Maps and reappeared once the pin had been entered.

  28. Hello,

    Here we are 5 years later and I thought it might be interesting to note that a claimed listing can indeed be hijacked. The recent situation of data feeds through syndication affecting hotel local business listings on Google+ certainly raises a question why Google allows for outside sources to affect claimed business listings.

    Thousands Of Hotel Listings Were Hijacked In Google+ Local
    http://searchengineland.com/thousands-of-hotels-listings-were-hijacked-in-google-local-181670

    In 2011 (2 years after this article), Cooper Tires had their listings hijacked as well.
    http://searchenginewatch.com/article/2064101/Cooper-Tire-Hijacked-2300-Listings-at-Yahoo-Local-Yellow-Pages

    I don’t fault this article, rather I fault Google for allowing claimed listings to be affected through outside sources, including Google’s own Google Map Maker.

    A very frustrating situation for businesses….and Google is wondering why more businesses don’t claim their listings or manage them? Why? Doesn’t seem to make a difference.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments links could be nofollow free.