Google Maps & MapMaker Exploits – Just for the fun of it

Update: Google has taken these down. My sense is, in speaking with him, that @maptivist views that as a challenge.

Nyagoslav Zhekov wrote a blog post yesterday detailing a long standing MapMaker abuse vector. The person claiming to be responsible, @maptivist, reached out to Darren, Nyagoslav and myself with some more examples of his MapMaker “work” which I present to you here:

Super Mega Fun Time Land Suck Balls Kim Jongun Church of God

Screen Shot 2014-02-20 at 12.07.28 PM

Snowden’s Secret Hiding Place

Screen Shot 2014-02-20 at 12.10.11 PM

Vladamir’s Hangout

Screen Shot 2014-02-20 at 12.08.16 PM

Mormon Comedy Club

Screen Shot 2014-02-20 at 12.08.56 PM

Church of Scientology aka Church with no Sense of Humor. Or Sense.

Screen Shot 2014-02-20 at 12.10.55 PM


Not the Phelps Sex Toy Shop or Not Crazy Lawsuit Happy Bigots Read Matt 7

Screen Shot 2014-02-20 at 2.42.39 PM – Not the real one silly. Google is still my @maptivists

Screen Shot 2014-02-20 at 12.11.39 PM


My “new listing” is verified (and of course being in touch with pop culture the way I am, I had to do a search to learn who Ron Burgundy was):

Screen Shot 2014-02-20 at 12.46.12 PM

Please consider leaving a comment as your input will help me (& everyone else) better understand and learn about local.
Google Maps & MapMaker Exploits - Just for the fun of it by

21 thoughts on “Google Maps & MapMaker Exploits – Just for the fun of it”

  1. I love the Ron Burgundy photo on your fake listing Mike 🙂

    Jokes aside, this is a serious problem. The guy we talked to described dozens of lead-gen businesses that are making millions/year selling leads. They set up fake listings in every city in the US, then sell the calls to local businesses. Why stop with just one listing? These guys are filling the entire pack with their spam listings, and that pushes out the real businesses, potentially causing them to go out of business. This problem must be addresses by Google. Their spam defenses are pretty much non-existent at the moment.

    Some smart spam fighters have offered solutions on this Google+ thread:

  2. While this is pretty terrible on Google’s end, the public shaming and publically pushing the exploits to the breaking point should (hopefully) throw the ball into Google’s court. No if only it would be picked up by a larger news organization.

  3. This is great, but its hard to figure out what they can do to change this without creating new problems for local businesses. Maybe some time of user-generated feedback to at least give wait tot legitimate businesses.

  4. I got a kick out of some of those.

    Sad to say, it wasn’t meant to last. I clicked on those links to the Maps results. Looks like only 3 of the listings are still up. (Though maybe they’re buried somewhere.)

    I’ve never seen anything close to this in Bing Places. Of course, a big reason is they’re tiny compared to G. Still, I don’t know anything about Bing’s anti-spam defenses – to the extent they exist.

  5. I think one of the best way to undercut the spammers is to publish the exploits as soon as they’re discovered. The only people benefitting from the current arrangement are the spammers and Google; by not disclosing the exploits (and not closing them), it only fuels that market to find and sell the exploits to the highest bidder, and Google can take their time (which is to say, never) in addressing the issue. Google is also shielded from both embarrassment and accountability, since what the media and general public doesn’t know, doesn’t bother them. If everyone has the opportunity to cheat at the same price point (free, or nearly free), then it’s at least a fair market, and not one slanted so heavily toward the spammers.

    In the past, a lot of effort and noise was made to tell Google, behind the scenes, what problems there were, in the hope that they would fix them. Of course, they never fixed the exploits, so it was wasted effort to try, as many did, to warn them in advance. The reality is is that it has to get much worse before it gets better. Today, locksmiths, tomorrow, your business model. Google has long ignored the local spam problem simply because they don’t want to be in the business of policing listings at the only level that is effective, which is humans ratting out other humans, and humans making a judgement as to the truth of the claims. The spam algorithms obviously don’t work and neither does the Local Data Quality team’s approach, which is more akin to the Zen saying, “Sit quietly, do nothing”. Although that may be the best approach to finding inner peace, it does nothing to end the outer spam war being waged in the Local indexes.

    My question is, if you create and promote a marketplace with rules, and there’s no one to hold anyone accountable for breaking the rules, what is the point of having those rules?

  6. I was going to say the same as James. The problem is that mapmaking is easy so that local businesses who aren’t tech savvy can have a chance to compete. If they tighten up, it will also make it harder for the non-technical sole prop companies to use the internet for their marketing.

    I dunno. Maybe I’m assuming too much.

  7. @Greg Yes, I do. I feel safer with potential competitors than I do with the incredibly incompetent Google, who can’t manage to maintain fairly static and benign listings without them ‘accidentally’ disappearing and reappearing with no explanation (as happened to a friend of mine over the weekend), while at the same time they’re doing everything in their power to encourage the proliferation of spam.

    I think there’s an element of good faith and fair play, when the marketplace is fair. No one is out to screw you if everyone feels like the “cops” are working to resolve and prevent crimes. You can compete on your own merits. That is not the current state of affairs. Google doesn’t care about your listing, they certainly don’t care about you, you’re the product they’re selling to their advertisers. That being said, I don’t anticipate that they’ll make it any harder than it is. I think they just need to tighten up their guidelines and actually enforce them, particularly for business segments that are incredibly spammy. Locksmiths listings are 95% spam. Lawyer listings are 70%. That is bad. They can all be verified fairly easily. I think I can say with some confidence that I have about a 99% success rate in identifying spam. I have taken down good listings by mistake, but I worked incredibly hard to get them back up as soon as I realized or was made aware of my mistake.

    Let me put it another way: what’s to stop a competitor from bombing your listing with bad, fake reviews? You can retaliate, of course, which is the risk they take, but most of the bad faith I can see in previous situation isn’t between legit business owners, it’s between Google and the business community they purport to cater to. They’re coddling the spammers and destroying our confidence in their reporting mechanisms. If they want to fix it, they can, as easily as they removed the spam POIs.

  8. @Mike, Google took down the visible listings in your post, but there’s still more that they didn’t find. I found some (with some help)…But I’ll let Google see if they can find it themselves, since they’re so good at finding spam.

    Also, if the Google spam team wants something to do, there’s locksmith spammers in Denver, CO, that need removal. Presently, 868 listings as of 6:34AM Mountain Time, and only 20 or so are legit. Is Google discerning enough to figure out which is which? We’ll see.

    Finally, the engineers can work on fixing the bugs in the Maps and Google+Local reporting interfaces, which have been broken for months on end. SABs still error out when you press Edit details in G+L, and I’m not sure what to make of the ‘new’ Report a problem on Maps, since it’s another Googler singularity they recently opened up and has been steadily swallowing spam reports since.

    Chop, chop!

  9. Meant to say, they likely aren’t discoverable so probably won’t cause a problem.

    But may be giving Maptivists some lingering satisfaction and I don’t understand why Google just didn’t take the + pages down too?

  10. @Linda: Google Places has this bizarre policy of marking business listings as Closed rather than Removed, even if the original POI is clearly spammy (or never existed in the first place). This is yet another on-going issue with Google Listing Editors, and in general, Places. Places doesn’t seem to understand that bad data is bad data and that spam data in should be removed. They seem to believe that if someone received a PIN, then it must be ‘valid’ (spammers are very happy that Google Places thinks they’re worthy of that level of respect and consideration, and don’t mind stepping over this tiny hurdle to get there.) The record is still preserved somewhere in the system, even if it’s removed, so I’m not sure why Google would want to keep the page up–perhaps something to do with digital hoarding (and keeping that copy of Readers Digest from 1976 “just in case”), or preserving the illusion that Google+ is not a ghost town.

    That being said, I don’t have access to the original Google+Local page, and particularly, the GMM record, so it’s possible that the Local page was Removed, and orphaned the now disconnected Google+ page. That is yet one more issue that was never resolved when I was doing a lot of spam takedowns, and Google has been aware of it for over a year now, and after long consideration, decided to just ignore it like all the other bugs. You’ll find a lot of spam locksmith Google+ pages that were originally Google+Local that have been left stranded on Google+.

    Google really never spent much time thinking about spam when they built their system. Spam is an afterthought, and it’s possible that the Local Data Quality team has no power or influence over these kind of events, even though it clearly should, cuz, spam. It’s amusing that spammers have more power and influence over the product than Google’s own employees…

  11. Very interesting conversation. I would think logically that it is in Google’s business interest to address these Places/Maps/Google+ SPAM issues, especially given the popularity of the Google Maps apps and the number of businesses and consumers that use it to locate businesses to patronize. Isn’t user experience the key to Google continued dominance and success? Each user encounter with a spam site means one less satisfied Google Maps user. Google Maps is one of the top mobile apps. It’s hard to believe that Google couldn’t make the case for investing in clean-up of these spam Places/Maps/Google+ local pages. What gives?

  12. Google’s products, designed at authenticating business data, contain so many holes that frankly it becomes almost indefensible that Google actually cares about the quality of the data that they publish, and leads the informed observer to the conclusion that the company is concerned (at all costs) about getting an email address along with nicely delimited business data for outputting across their product range.

    What’s more, if a company doesn’t actually register itself officially Google seems quite content to scrape and auto-generate listings from other providers and to create a mashup-listing from multiple sources that might or might not actually contain the right information (Just like they have been doing for artists and brands on YouTube so they can show their ads over copyrighted materials, deferred under a convenient UGC clause).

    To the the case in question, this is set against a backdrop of companies that do provide accurate information and which are paid for by businesses such as Yellow Pages et al (Big G given a recent slap-down in EU regarding priority given to other directories).

    Standing back and looking at this problem, it’s hardly a hack (remember recently the hotel listings “hijacked”, en masse) because there is no XSS and no trojans or weird installs – instead, as usual, it’s simply people exploiting a submission and verification process that anyone with half a brain could game after they had done it once.

    The fact of the matter is that the number of people affected by this hack (who knows how many people have been tricked or abused indirectly by fake business listings) is impossible to gauge, while policy makers and governments do not seem to have the technical know-how or the desire to assess the impact that such a lax system could have for it’s citizens.

    So the same s*** continues on a different day.

    At least for Google, consumer ignorance is bliss: most users don’t know that the first 3 listings on Google are paid (nothing to do with the fact that Google chose a background colour for their ads that would render invisible on a large proportion of screens, but because users actually know very little), while Google can cream money with various tweaks to their Adwords system – whether it negating the use of exact match keywords because they are considered “low volume” or removing the ability to opt-out completely of mobile ads and then hiding these control mechanisms right down in the Adwords interface.

    No, you can’t stand back and say that there is anything other than money at work, and we’ve all been documenting this stuff for years and no-one seems to care.

    I expect to read about more “hacks” in the future.


Leave a Reply to Phil Rozek Cancel reply

Your email address will not be published. Required fields are marked *

Comments links could be nofollow free.