Exploiting Google Maps for Fraud

The New York Times has a long article on fraudulent locksmiths. The scam is a basic one: quote a low price on the phone, but charge much more once you show up and do the work. But the method by which the scammers get victims is new. They exploit Google's crowdsourced system for identifying businesses on their maps. The scammers convince Google that they have a local address, which Google displays to its users who are searching for local businesses.

But they involve chicanery with two platforms: Google My Business, essentially the company's version of the Yellow Pages, and Map Maker, which is Google's crowdsourced online map of the world. The latter allows people around the planet to log in to the system and input data about streets, companies and points of interest.

Both Google My Business and Map Maker are a bit like Wikipedia, insofar as they are largely built and maintained by millions of contributors. Keeping the system open, with verification, gives countless businesses an invaluable online presence. Google officials say that the system is so good that many local companies do not bother building their own websites. Anyone who has ever navigated using Google Maps knows the service is a technological wonder.

But the very quality that makes Google's systems accessible to companies that want to be listed makes them vulnerable to pernicious meddling.

"This is what you get when you rely on crowdsourcing for all your 'up to date' and 'relevant' local business content," Mr. Seely said. "You get people who contribute meaningful content, and you get people who abuse the system."

The scam is growing:

Lead gens have their deepest roots in locksmithing, but the model has migrated to an array of services, including garage door repair, carpet cleaning, moving and home security. Basically, they surface in any business where consumers need someone in the vicinity to swing by and clean, fix, relocate or install something.

What's interesting to me are the economic incentives involved:

Only Google, it seems, can fix Google. The company is trying, its representatives say, by, among other things, removing fake information quickly and providing a "Report a Problem" tool on the maps. After looking over the fake Locksmith Force building, a bunch of other lead-gen advertisers in Phoenix and that Mountain View operation with more than 800 websites, Google took action.

Not only has the fake Locksmith Force building vanished from Google Maps, but the company no longer turns up in a "locksmith Phoenix" search. At least not in the first 20 pages. Nearly all the other spammy locksmiths pointed out to Google have disappeared from results, too.

"We're in a constant arms race with local business spammers who, unfortunately, use all sorts of tricks to try to game our system and who've been a thorn in the Internet's side for over a decade," a Google spokesman wrote in an email. "As spammers change their techniques, we're continually working on new, better ways to keep them off Google Search and Maps. There's work to do, and we want to keep doing better."

There was no mention of a stronger verification system or a beefed-up spam team at Google. Without such systemic solutions, Google's critics say, the change to local results will not rise even to the level of superficial.

And that's Google's best option, really. It's not the one losing money from these scammers, so it's not motivated to fix the problem. Unless the problem rises to the level of affecting user trust in the entire system, it's just going to do superficial things.

This is exactly the sort of market failure that government regulation needs to fix.

Posted on February 8, 2016 at 6:52 AM • 33 Comments

Comments

WinterFebruary 8, 2016 7:06 AM

I once was "burned" by a variant of this scam.

On Google earth, I found a hotel that was clearly located at the center of a town very close to where I had to attend an early morning meeting. After I had booked, I found out that the address was actually at the outskirts of the town. Much too far from the center to be of sue to me.

Alex SimonelisFebruary 8, 2016 7:23 AM

"They're not the ones losing money from these scammers, so they're not incented to fix the problem. Unless it rises to the level of affecting user trust in the entire system, they're just going to do superficial things."

Of course it will affect user trust in the entire system.

And Google's counter-measures are not superficial at all.

JayFebruary 8, 2016 7:41 AM

Regulation? I'm tired of seeing this as the answer to everything. Not every problem has to be forcibly prevented. Maybe everyone just needs to develop a healthy distrust for things they find on the Internet, and do some vetting/verification on their own. You know, personal responsibility for who you're hiring.

AndrewFebruary 8, 2016 7:55 AM

You had me until the last sentence. This is the kind of thing that should view government regulation only as a desperate last resort. Concerned over where a hotel is? Check it on another search engine. Wondering if a business is legit? Read some reviews.

As in any business, there are a few bad apples, but don't let them be an excuse for the government to step in and ruin it for the other 99%.

Terry GreenFebruary 8, 2016 8:26 AM

I agree with previous posters, regulation sounds like a broken record. And what if they don't care? Someone near me had cctv of someone breaking into their house and stealing their stuff but the SJ police wouldn't do anything.

Have you noticed how retailers hijack any search term entered into Google? You could search almost anything like spent nuclear fuel rods and WalMart will pop up. But they don't sell any. That's a form of lying too.

rFebruary 8, 2016 8:30 AM

The experience I have with Google correcting data, in this case about a local catering and butcher shop Google took the position of it being the shop owners responsibility to fix the incorrect map data... Now that may be a separate case due to it being a separate service but the shop owner himself had expressed frustration to me about trying to get them to correct the data prior to me trying to assist them in that manner.

Either way, I was not impressed with Google's handling of the situation.

PaulFebruary 8, 2016 8:34 AM

Isn't there already a law against making untrue claims in order to profit? Could the businesses or people in question be prosecuted for Fraud for their false claims about their location - particularly in the context of the other dodgy practices in the article?

A civil claim for fraud would not get much for each offence, but surely a criminal conviction could lead to more severe penalties?

paulFebruary 8, 2016 8:48 AM

For some resources, open access simply isn't workable. The cost of creating map spam is probably already sinking to the cost of spending spam email. And the size and composition of the user community isn't sufficient for crowdsourcing verification. (And you don't want the change/deletion step to be too easy, or that will just mean everybody defacing their competitors/enemies/etc).

In the Old Days, the Bell System (mostly) solved this problem by charging real money, having a secondary hook into advertisers, and having people who could verify the information in question directly.

JonFebruary 8, 2016 8:51 AM

Untrue claims work just fine for Scientology (and pretty much every religion), and given that one major fraudulent firm (who had most of the accused flee the country) was based in Clearwater, Florida, one is inclined to wonder about their branching out for profit.

A criminal conviction is great - If you can find (and grab) the criminal.

In short, Paul, that's fine, unless there's an organization dedicated to obfuscating everything and concealing the accused.

If the Mafia springs to mind, that may not be a coincidence.

J.

CallMeLateForSupperFebruary 8, 2016 9:27 AM

I caught this very story at BoingBoing yesterday morning.
https://boingboing.net/2016/02/06/superb-investigative-report-on.html

In that article Doctorow references an article he posted in March 2014:
https://boingboing.net/2014/03/31/google-maps-spam-problem-pre.html

I want to say, up front, that I do not use Maps at all, preferring Earth. Nor do I search Earth for businesses, because I discovered early on that the feature was not ready for primetime; too many inappropriate "hits". Example from yesterday: search for "locksmiths" in my area coughs up an "NNP"(Neonatal Nurse Practitioner); a collision repair; a small grocery; two dentists. 'Nuf said.

Two of the "locksmith" hits had the same name, Minute Key Inc., were one block apart in buildings that I recognize as Walmart and Lowe's (a home improvement). Some investigation explained this: Minute Key is a self-serve, key duplication machine. Definitely *not* a locksmith.

Another "hit" also picqued my interest because of its location: my local U.S. Post Office. Does a USPO rent space to a locksmith? Not this one. The business's listed address is the p.o.'s street address plus a "Suite" number. Translation: p.o. box. The search "hit" includes a web site link and a photo of the business's site. The photo of the site is so small that one cannot see the foot-tall letters "United States Post Office: engraved in the facade. The copious text on the web site aims to inspire confidence but fails, for three reasons that I won't exercise here.

Yes, as long as persons continue to click on search results, Google makes $$ and has little incentive to clean up its ad business.

WinterFebruary 8, 2016 9:34 AM

@Andrew
"You had me until the last sentence. This is the kind of thing that should view government regulation only as a desperate last resort."

I mistyped. I wanted to say "no use to me". I have never sued anyone in my life. And we did cancel the booking.

Robert.WalterFebruary 8, 2016 9:45 AM

how does the fake location of a "local" business that will come to my house work against me?

Is it that over time real local businesses will be squeezed out, thus leading to an extra charge for mileage, or do they claim google maps have wrong address data and this already claim a surprise mirage surcharge?

Clive RobinsonFebruary 8, 2016 11:30 AM

@ Bruce,

This is exactly the sort of market failure that government regulation needs to fix.

Whilst it is without doubt one form of market failure (that economics it's self fails with, hence the "Internet market problem"). Is regulation the right answer?..

To decide this you have to look at, What the perceived problem is? Why it is perceived as a problem in the specific case? But also if it will still be perceived as a problem in the more general case? Further if it is always a problem? That can be easily identified and clearly and specificaly codefied?

A failure or ambiguity on any one point, history has taught us is going to give rise ti bad legislation that will be poorly or selectively applied and thus will cause more harm than good.

Then the what and how of remidies available under the regulation enabling legislation. After all whilst a 10,000USD fine will kill small honest organisations. Dishonest organisations will never attend court or pay fines, they will just morph into a different name/business/area and carry on with out hinderence. Whilst large organisations will just see it as another tax on operation and work a deal or way around it...

Thus you have to be clear of thought and action at every step of regulation otherwise it will fail to do much more than become a pile of paper or weapon of favouritism in the hands of authorities. Neither of which will achieve what those calling for regulation intended.

paulFebruary 8, 2016 11:34 AM

@Robert.Walter:

The fake location means that they appear on your map when you look for a business near you to help you with your lockout (or other problem, now that the technique is spreading to other fields). Then, when they ultimately arrive, they can use common social engineering techniques to get you to pay more than the advertised fee. Sure, you could tell them to take a hike, but then you'd still be locked out, in the company of an annoyed criminal, and with no guarantee that anyone else you called using information from Google maps would be legitimate.

CallMeLateForSupperFebruary 8, 2016 12:22 PM

@Robert Walter

The typical link gen supplies you with a (more or less) local person who might or might not know what she is doing, who might or might not be bonded, and who you cannot check out ahead of time. And while the typical link gen. often advertises a not-necessarily-excessive price, the responder is free to charge whatever she thinks she can extract from the hapless caller.

The hapless caller should share the blame; it's not all on the link gen. miscreants and their associates. That said, mankind would be better off if the hammer of Thor were to fall on every unscrupulous businesses

"[...] do they claim google maps have wrong address data ..."

That could come into play- perhaps, but I haven't seen it raised in this context.

Google does mismatch locations/street addresses very often. Yesterday I searched "locksmiths in" and specified a random town in a random state. Looking at the marked site in Street View, I saw a closed super market and empty parking lot. I know it was a super market (or was in the past) because the large sign in the lot said so. The photo included in the link showed another view of the empty parking lot and lifeless market, but it was so tiny that one could not read the sign. Had I found a scam location? No (darn it!). The actual, brick-and-morter store, a little cube reminiscent of 1-hour photo shops of decades past, was further down the block.

Link gens do compete with local businesses. There is no question.

Joe KFebruary 8, 2016 12:36 PM

Am a little surprised to see an article about an online tool for finding local services make no comparisons (pro or con) with craigslist.

Lead gens have their deepest roots in locksmithing, but the model has migrated to an array of services, including garage door repair, carpet cleaning, moving and home security. Basically, they surface in any business where consumers need someone in the vicinity to swing by and clean, fix, relocate or install something.

I have no idea how widely used craigslist is, globally. But my impression is that it is, in the US, a pretty much bog-standard tool for finding precisely that sort of service.

Craigslist itself is not without problems, scams, etc. But a comparison would have been informative.

Anonymous CowardFebruary 8, 2016 2:39 PM

> This is exactly the sort of market failure that government regulation
> needs to fix.

I am of the view in general that State regulation is always or almost always worse than no action.

We have in the mind a fantasy of the "right" regulation being enacted, whatever that is, and that it will have and only have the desired effect.

This is *never* so, in either respect.

I agree fully Google basically can't care, because they bear no economic loss. The basic problem then is that users are using a free service. If the service was paid for, the provider would care, and the service would be so much higher quality. If people *wish* to use a free service, and continue to wish this since the cost of paying for such a service is greater than the fraud they bear, then it is their free choice to do so - and this seems to be the outcome. What's really needed are better customers :-)

Anonymous CowardFebruary 8, 2016 2:44 PM

As a related aside, the reviews on Google Maps have required careful use for some years now. Massive numbers of fake reviews exist. Their style is distinctive and they tend to cluster on whom-ever has paid for them; if you see a business with say 100+ reviews and 5 stars, and all the reviews are one paragraph long, reasonable English and capitalize each letter of the company name - that's a business to avoid like the plague.

You need to find the business which has five or ten reviews, tops, about four stars, where some of the reviews are clearly written by semi-illiterates ;-)

"YEAH ITSS GOOD I went there top marks Steve"

Actually, getting back to the original problem, I think a significant factor now in all of this is the ongoing absence of a viable, widely accepted and zero-effort to use micropayment system.

mozFebruary 8, 2016 5:41 PM

The regulation that's needed is criminal law and the government intervention needed is to enforce it. I don't see why that should be exciting or controversial. This is large scale fraud.

The problem is that since it's diffuse fraud the individual people who should be reporting it don't care enough and the people that they could be reporting it to don't realize the scale if they ever do hear of it.

Basically this is the criminal version of problem that class action lawsuits were designed to handle. There is something wrong with the idea that if I steal $10,000 I'm a big criminal, but if I steal $5 separately 100,000 times then nobody cares, but it's completely true.

MagnusFebruary 8, 2016 7:21 PM

"who've been a thorn in the Internet's side for over a decade"

That is really rich coming from Google.. a thorn in the side of Google's business model of exploiting mass amounts of free labour is more accurate.

JamesFebruary 8, 2016 7:33 PM

Regulation might help but one problem is that regulators sometimes err so giving them the power to fine or close down businesses might prevent people from doing business with providers of their own choosing. Another problem is that people might be stuck with some regulator with standards that don't meet their needs.

A workaround for the first problem would be for the regulatory agency in charge to have no enforcement authority but let the agency give out certificates saying "After careful consideration, even if we could shut down XYZ locksmith corp, we wouldn't." People who trust regulators would gain the full benefit of regulation because they could refuse to do business with anyone not in posession of that certificate.

An added benefit of not requiring enforcement powers is that it also takes care of the second problem. Since it's perfectly legal for anyone to give certificates, anyone could start up a competing certifying organization at any time if the government run regulator didn't do a good job. People who find government regulators more credible than private sector regulators could still rely on the government run regulator but no one would be forced to if they preferred not to.

k15February 8, 2016 9:58 PM

So Google could charge a few bucks for a "Paid Business" variant, that has a photo of shopfront with the business name on it, and the business license #? And mark these differently, on the map?

rFebruary 9, 2016 1:45 AM

@moz,

You make me wonder if some of these entities aren't operating outside of their DBA. In my state you either need a state LLC I believe (certain cases may require a PLLC.) or a DBA per county of operation.

At least that's how I understand the DBA rules, the LLC's I'm not too sure about.


@Joe K,

I would never search for a trained equipment wielding locksmith on the same site that people purchase prostitutes and stolen merchandise from: I don't care how long I've lived here. IF a real business can't afford real advertising or a real listing I'm certainly not going to pay someone on Craigslist who simply claims that they can. There's absolutely no review system there and thus one would likely be far better off with "Angie's List" for things like this.

To be fair, I buy sell and advertise on CL from time to time myself... But the best advertising I've seen is word of mouth and in all fairness I have seen some insane custom concrete and solo'd stamp work... even what I assume is shotcrete/gunite done on the LOW... So maybe with the right presentation CL wouldn't be an immediate NO but they would require one hell of a web presence, references, business card, portfolio, etc. Not just some lame white van w vinyl stickers or magnets on the side.

Stephen February 9, 2016 6:15 AM

Aside from the deceit of charging more than their quote, businesses where the service is mobile often try to appear local.

Our local newspaper would have classified advertisements for the local locksmith, plumber, electrician, etc. All had the same area code on their phone number. When you looked through the listing you would avoid the unfamiliar area code because you knew they were from across town.

Having a free call phone number solved that. You could appear local, advertise locally, but get customers from anywhere in a larger area without scaring them away by having a distant area code.

The twist here is that the advertisers are gaming the system. Pay for your Ad Words by Google instead of gaming the "crowd sourced" map listing. Blacklist the cheaters until they bid their way back in.

DanielFebruary 9, 2016 10:59 AM

I agree that regulation is not the right answer but that is because I believe it is long past time that we nationalized Google.

e=mc2February 9, 2016 12:53 PM

@Bruce Schneier:
This is exactly the sort of market failure that government regulation needs to fix.

Can't this be fixed through "market action"?

E.g. that people stop using Google for this (and other) purposes?

Google has a long history of discontinued "projects" that they ended shelving when it became apparent that they were not very popular (or that Google's implementation of the "service" was not all that great, or other reasons).

Like Google+, a good example of a zombie service. It's alive, but yet not really.

So they will discontinue this service as well if enough people abandon it.

Also, I could be wrong but a problem with more government regulation is that it (by its nature) leads to explicit specifications that somehow (typically) needs to be enforced by the government. This in turn leads to more taxation that is required to pay for the enforcement.

googleFacilitatesAbuseThroughTheirProcessesFebruary 9, 2016 12:59 PM

@Daniel
it is long past time that we nationalized Google.

It's already de-facto nationalized by the Alphabet Agencies

Marcos El MaloFebruary 9, 2016 6:39 PM

A few things that need to be cleared up:

The lead gen map/link hackers (or whatever you want to call them) are quite simply overwhelming local businesses. It's a number's game. When there are 99 fake business fronts for every legitimate business on the map, the results should be obvious.

The lead generators are bidding up the advertising, making it too expensive for local businesses to advertise online.

For many service businesses, including locksmithing, a mobile business run out of a van or truck is more viable than having a physical storefront. Such businesses often use P.O. boxes. This does not or should not bring their legitimacy into question. The fact is that for many such businesses, a storefront makes no economic sense. It's an unnecessary expense. There was also a case where there was a business with a storefront, but the lead gen spammer basically hijacked the location. Location verification is really not a solution to the problem, although it might have a small part to play in a solution.

Regarding solving this problem via regulation or "letting the free market handle it", I think Google's contributory negligence needs to cost Google something if anything is to be done about it. If Google was forced to compensate the victims of these scams and the legitimate companies for loss of business, you can be sure it would get fixed rather quickly.

Perhaps the deeper problem is when crowdsourcing projects are created by entities (such as Google, but there are others) that value money over reputation. Sites like Wikipedia have created an infrastructure of user oversight to preserve their reputation and they work hard to maintain it. Google and other for profit businesses might like such a strong reputation, but will cut corners if that will achieve what they consider good enough.

Sancho_PFebruary 10, 2016 12:29 PM


@Alan (“What regulation would fix this?”)

From the postings here it’s obvious that many people don’t trust their gov. regulation authority.
Sad, but true. And with cause.
However, gov always did, this is how we came here, and how we will proceed.

The problem is that our elite has evolved, from people who fought for freedom and justice to those who fight for power and money (shareholders).
So here we are, business overtaking regulation, imperialism overtaking capitalism.
Uncontrolled (unregulated) growth leads to monopolism, funded and protected by the state.
No liability + no competition = no free market = social suicide.
Monopolism is comparable to cancer, the end of diversity, nature.
Regulation would have be fairly easy, but it’s too late now.

Dirk PraetFebruary 10, 2016 8:58 PM

This is exactly the sort of market failure that government regulation needs to fix.

What I don't understand here is why people don't have the common sense to first call Acme Company to verify if indeed they provide a local service and at what price for a specific service/intervention. If they lie about it and try to charge your pants off, call 'em out and call in a local LEO. Then file a complaint with Google.

ianfFebruary 12, 2016 9:34 AM


@ Dirk Praet […] “why people don't have the common sense to first call Acme Company to verify if indeed they provide a local service and at what price for a specific service/ intervention.

The debate was about some highly competitive service "outlets" in the USA, and there your objection sounds logical. The same cautionary approach would, however, be unrealistic and/or impractical in my European context, where service givers practice various forms of "natural born cartels" and business malpractices.

For instance, calling a locksmith for changing a lock the same day will cost ~€400 EVERYWHERE, or ~€300 within a week (the time to be chosen at the locksmith's convenience, so sit by the phone). "Because that's how much it costs," as were it written in the Bible. Calling a plumber, or any other non-warranty dirty-hands serviceman for a quote will invariably be met with a counteroffer to "inspect the problem in situ, so correct quote can be submitted," the inspection taking perhaps 10 minutes and costing ~€95 (to be counted in the inevitably salted quote of €500-800). If you insist on immediate (pardon the sports metaphor) "ballpark figure", they'll quote you ~250% of what you expected, just to be on the safe side, etc. And, unless you've got it in writing, the final invoices tend to be for higher sums than agreed upon… contest them in court, or pay up and move on.

20 years ago I dropped a radio onto the floor. A newer model cost then ~€200, but I liked that one, decided to have it repaired. Went to SONY's authorized workshop, unscrewed it there to see the damage, and had a technician opine on the spot whether it even was serviceable (not: required ordering a replacement CPB). Called up a guy who liked to meck around with electronics, see what you can do or keep the wreck. A week later he soldered together the broken CPB, charged me €35. The radio is still here, even if I don't listen to it as much as before ;-)) But the unscrewing-item/ad-hoc-diagnosis-in-a-workshop method wouldn't work any more… now they'd insist on checking it at their own leisure, and my €85 cost for that! And that guy has retired ;-))

Another example: when sanitation pipes in my building were high-pressure flushed (250+bar @ 200℃) to declogg them internally, some of the fine rust etc particles crept into the thermostat in my bathroom (as I found out later; the symptoms were that I could only get tepid water out of the shower). I made several inquiries about it; all the pros diagnosed it as irrecoverable mechanical thus uneconomic to mend failure, proposed replacement of the entire unit; cheapest quote was >€550 inclusive. But it was only 10 years old, supposed to last 50-70. Dismantling it required a large-diameter serrated wrench, special order €38 item. I bought a replacement unit ("30 days open buy") that came with a sturdy plastic version of that wrench. Unscrewed the thermostat, found rusty detritus clogging up the metal filter, flushed it out, put the unit back in, works as before (I wasn't able to set it back just-so exactly, so now I can never get truly cold water from the shower head… I can live with that.) Went back to the store with the replacement unit, got my money back, mentally flipped all "the pros" the finger.

HarrisonFebruary 13, 2016 5:54 AM

The people with a downer on regulation forget the very reason we form civil societies in the first place.

Without civil regulation, organised gangs can pick out and prey on individuals. It does not help at all if your only solution to this is to insist that the preyed upon individuals be "more vigilant".

It makes more sense for the prey animals to bind together and use their greater strength to suppress the (now) smaller gangs. That is what society is for. That is the true best use of Government.

Get used to it guys - we individuals will band together to fight off the gangs and nothing in your "libertarian" ideals can stop us while we remain under attack from gangs.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.