Yesterday, I suggested that Google Places had been hacked for searches on "personal loans" and related terminology across the United States. If you haven't read my first post, I recommend doing so in order to get the complete picture. After I initially wrote this up, I got curious and decided to get in my car and go find these local listings. I wanted to make sure that they were, in fact:
1) legitimate, and;
2) had been hacked and overwritten.
As it turns out, I was only half right if you define a hack as strictly the unauthorized access to password-protected accounts. From what I can tell, that has not happened here.
1) Hack is a pretty vague term and I probably should have avoided using it. Even though I originally thought there was a possibility accounts may have been compromised, I view a hack as any attempt to look for vulnerabilities in a system and then use that system for purposes other than it was intended. If you have a similar viewpoint, it was most certainly hacked, but sorry for any confusion this caused.
2) The Google Places pages in question were built off of legitimate businesses, but not off of legitimate listings. If you have already verified your listing, there is probably no need to check that it is accurate. Rather, this issue concerns established businesses that have never set up a Google Places page, and may not have even realized that they already had one.
Essentially, what we are looking at here is a simple form of business identity / credential theft.
Annabelle's:
We are located in Fishers, so I stopped by Annabelle's Consignment (mentioned in my last post) near our office. It has gone out of business. Not much help.
qiLoans... Fishers Eye Care?
I then tried to find: qiLoans Inc at 11565 Cumberland Road #300 Fishers, IN 46037. There is a small one story office complex in this location (intersection of 116th and Cumberland Rd) with four separate address numbers, but unfortunately 11565 is not among them. There is, however, a 11579 that has a suite 300. That office is for Fishers Eye Care. The Google Places listing for qiLoans has one of its listed categories as Optometrist, so that seemed to be a little too coincidental. I tried to pull up the website for Fishers Eye Care to see if the telephone numbers matched, but their site was timing out. I discovered later, that this is one of the ways that I got tricked into thinking that this was an intrusion into Google. The number for the listing was 317-429-1134, and 317 is the area code for this area. It appeared legitimate, but there were no other review sites tied into this page in order to determine if this had been the listing of Fishers Eye Care. So, I moved on to the next one, and that is where the pieces started to come together.
The Scam:
Previously unverified business listings (the opposite of how it first appeared) were falsely verified and then modified. This seems to be fairly straightforward, but the method of implementation, scope of how much was inserted into Google Places and the efforts taken to conceal this operation were actually pretty sophisticated.
How it Worked:
I now know how this worked, but as to how exactly it was done, that is over my head, and I would only be able to guess. I will leave that one for someone that is much more knowledgeable about such things.
If I remember correctly, Google originally populated its local listings, just like Yahoo and other sites, with basic business data from third-party sources in order to kick-start things. Companies could go in and claim their listing and improve it. However, it appears that Google went a step further than just placing the listings and collecting reviews from its own users. Without ownership being verified, ratings from other services were also being picked up and inserted into these basic listings. Even though the owner had not yet claimed the page, these ratings gave the listing the appearance of legitimacy. My guess is that in most cases, as I discovered yesterday, the owners didn't even know that they had a page to claim.
guLoans Inc - Victim: Gregory Hancock Dance Theatre
To recreate what I am discussing here:
1) Set your location to - Carmel, IN.
2) Do a search for - personal loans.
When I did the screenshots and started writing this last night, there were actually two listings for guLoans Inc at the same address. (I haven't figured out how this happened yet.) Unlike qiLoans, the area code is for Gainesville, Florida. Why this, along with a complete name change didn't set off some red flags at Google, is beyond me.
[UPDATE: While posting this, I just checked this listing and it looks as if Google is in the process of updating it to the correct owner. The Place page is now mostly correct, but it still shows up as guLoans in Carmel when searching for "personal loans." Even if it is gone when you follow up, no worries, there are plenty of other examples still in place. And, I view this as a validation by Google that these listings were hijacked... and not just inserted by a spammer.]
----
1) If you simply click on the guLoans link, instead of the Place page, you get redirected through carmel-in.igpaydayadvance.info domain to Ameriadvance.com. This is the scammer's source of money, and as I pointed out yesterday, it is probably an affiliate program relationship.
2) If you go to the Place page, this is where it becomes a little clearer of how this was working.
----
1) The listing is verified. I am going to speculate that this probably gives the listing more juice in Google's ranking of these results. The problem is, who actually verified this listing? Was it the owner? In a word... No.
2) When I got to 335 Gradle Dr (just like qiLoans) the business that appeared to be attached to the Google Places page was not located there. It was once again, just slightly off and located at 329 Gradle Dr.
3) Why was the address changed, and why was it such a small change? I think the address was changed in order to conceal the listing. As anyone with a business on the Internet knows, your listings may bring you business, but they also bring a lot of solicitations your way. Well, if you owned a dance school and started getting mail for guLoans, you might do a search and find it with a listing at your address, and then ask that it be removed. The scammer did not want this to happen, so the address was changed in order to conceal the listing from the owner. --- Wrong name. Wrong address. Return to sender. --- Even if you stumbled across this listing, you wouldn't give it a second look. The small change was probably for the benefit of dealing with Google. Typos occur frequently, and because the address is on the same street, it was made to look like a minor correction.
4) As mentioned yesterday, categories were inserted to get this listing to show up in loans-related searches.
5) This is where it first became apparent that this listing wasn't simply inserted, but hijacked. This particular listing was accumulating reviews from cityvoter.com. If you click on the picture or the reviews link, you get a ratings page for Gregory Hancock Dance Theatre. I went into the dance school to see if they were even aware that they had a Google Places listing. They told me that they did not have one. Then, I showed them what I had found. They were familiar with the picture, but their response was, "That is not from our website. That is an old picture."
----
This is perhaps not as good as some of the other examples I found, like Yelp or Google's own ratings showing up in the general search results under a business name. However, it still works towards legitimizing a listing, when in actuality, it has been hijacked from the true business owner that never even realized that it existed.
----
Finally, I went back and searched for - dance school, and there is our listing. However, it simply looks like an out of place listing and most people will simply pass it over without notifying Google that it is spam. This is why it was so important for the scammer to overwrite the listings from multiple categories. The more difficult to piece this all together, the longer amount of time that this scam will remain in place.
Mistakes:
I see three mistakes made here that might have allowed this to go on for a longer period of time unnoticed.
1) As with the example in Fishers, he should have used the same area code as each listing (unlike what was done in Carmel) in order to go undetected at Google, but also to possibly fool anyone manually viewing the Place page. I called the 317 number in Fishers and it turned out to be a fake. This still would have been uncovered, just not as quickly.
2) In Carmel, there actually is another company located at 335 Gradle Dr. This was just dumb luck I guess, so mail would have eventually found its way there for guLoans. Anyone that can automate an operation of this size should have been able to program in a method of verifying that the addresses used did not exist.
3) In some areas, such as with Carmel, this scam was so successful that a bunch of listings all come up at once on personal loan searches. Another key to getting away with a scam like this is to go unnoticed by those that know how the system works.
Suggestion to Business Owners:
Have you lost potential business because of this? It is possible. If you own an established business, but have never set up or verified a Place page, do a search in Google with the search settings set to your community. If you cannot find your business in the Google Places listings, you may never have been added, or your business may have been affected by this scam. Repeat the search using popular terminology related to the products or services that you offer and look for listings near your location. If you find a listing that may have been yours (is attached to reviews for your business), contact Google.
Technorati Verification Code: VZ52UJ7CB732
