Google Maps

Tens of thousands of fake listings are added to Google Maps each month, redirecting users to fraudulent websites selling phony or overpriced services, or part of some referral scam.

This is the result of a study carried out by Google and University of California, San Diego researchers, who analyzed over 100,000 businesses marked as "abusive" and added to Google Maps between June 2014 and September 2015.

Researchers say that 74% of these abusive listings were for local businesses in the US and India, mainly in pockets around certain local hotspots, especially in large metropolitan areas such as New York, Chicago, Houston, or Los Angeles.

Fraudsters focused on on-call services

In most cases, the scheme was simple. A customer in need of a locksmith or electrician would search Google Maps for a local company. If he navigated to the website of a fake business or called its number, a call center operator posing as the business' representative would send over an unaccredited contractor that would charge much more than regular professionals. If a customer's situation were urgent, the contractor would often charge more than the initial agreed upon price.

Researchers said that 40.3% of all the listings for fake companies they found focused on on-call services, such as locksmiths, plumbers, and electricians, were customers were desperate to resolve issues.

This also explains why many of these fraudulent Google Maps listings were located in certain hotspots, usually around the movement area of one of these scammers or scammer groups.

Fake listings, stats

Crooks found a way around Google's verification process

To list a business card on Google Maps, companies must go through a series of checks that involves Google mailing a postal card, or making a phone call to the business' headquarters.

After analyzing over 100,000 fake listings, researchers said miscreants registered post office boxes at UPS stores and used the same address to register tens to hundreds of listings per address.

They did the same thing for their phone contact, by buying cheap VoIP numbers from providers such as, Level 3, Twilio, or Ring Central.

Half of the hijacked Google Maps traffic went to referral scams

Besides on-call services, researchers say crooks also created fake listings for on-premise businesses, such as hotels and restaurants, where crooks charged illegal reservation fees, or sent traffic through referral services back to real restaurants or hotels, earning commissions.

For these, researchers say fraudsters registered fake listings on behalf of real hotels and restaurants that failed to do so on their own.

The research team discovered that crooks managed to hijack 0.5% of Google Maps' outbound traffic for the studied period.

"Of the user traffic captured by miscreants, some 53.5% of it was forwarded to referral scams for the restaurant and hotel industry, and 3.5% was directed towards deceptive service industries (e.g., unaccredited locksmiths and contractors) operating phone centers to respond to inquiries," researchers noted.

Google cut down abusive listings by 70%

Following this study, Google says it added improved security measures for the Google MyBusiness service. The search giant says it reduced the amount of abusive listings by 70% since its peak period, in June 2015.

Google also says it currently detects and disables around 85% fake listings before they ever appear on Google Maps.

The research paper, entitled Pinning Down Abuse on Google Maps was presented at 2017 International World Wide Web Conference, held last week in Perth, Australia.

Related Articles:

Thousands of Apps Leak Sensitive Data via Misconfigured Firebase Backends

Continued Conversation Now Available in Google Assistant. Here's How to Enable.

New Google Account Update Makes It Easier to Manage Your Data

Google Updates File Signature Checks for Android Apps

Google, Roku, Sonos to Fix DNS Rebinding Attack Vector