Google Maps' spam problem presents genuine security issues


Bryan Seely, a Microsoft Engineer demonstrated an attack against Google Maps through which he was able to set up fake Secret Service offices in the company's geo-database, complete with fake phone numbers that rang a switch under his control and then were forwarded to real Secret Service offices, allowing him to intercept and record phone-calls made to the Secret Service (including one call from a police officer reporting counterfeit money). Seely was able to attack Google Maps by adding two ATMs to the database through its Google Places crowdsourcing tool, verifying them through a phone verification service (since discontinued by Google), then changing them into Secret Service offices. According to Seely, the disabling of the phone-verification service would not prevent him from conducting this attack again.

As Dune Lawrence points out, this is a higher-stakes version of a common spam-attack on Google Maps practiced by locksmith, carpet cleaning, and home repair services. Spammers flood Google Maps with listing for fake "local" companies offering these services, and rake in high commissions when you call to get service, dispatching actual local tradespeople who often charge more than you were quoted (I fell victim to this once, when I had a key break off in the lock of my old office-door in London and called what appeared to be a "local" locksmith, only to reach a call-center who dispatched a locksmith who took two hours to arrive and charged a huge premium over what I later learned by local locksmiths would have charged).

A detailed post by Dan Austin describes this problem, points out that Google is more than four years late in delivering promised fixes to the problem, and offers solutions of his own. He suggests that the high Google Adwords revenue from spammy locksmiths and other services is responsible for the slow response to the problem.

All of this ends up costing real local businesses their business, he says. Search for “locksmith in Denver, CO” in Google Maps, and you get more than 600 results. Virtually none of them, Austin says, are for licensed local locksmiths. Instead, your search for someone to get you back into your car in Denver pulls up numbers for a fake local business. Your call gets routed to a center somewhere far away, someone who’s not necessarily a licensed locksmith gets sent to help you, and charges you far above what you were quoted over the phone.

Austin says that Google’s inaction stems from the fact that the company is actually making money off the scammers through sales on Google AdWords for search terms such as “locksmith.”

“Google’s basically getting a not insignificant amount of their income from scammers—if you look at locksmiths, 99 percent of them are scammers,” says Austin. “It’s an investment of time and energy and resources to actually go through and verify all the legitimate locksmiths in the U.S. Google doesn’t really want to get into it—they don’t see it as a security issue.”

How Scammers Turn Google Maps Into Fantasy Land [Dune Lawrence/Business Week]

(via Hacker News)

Notable Replies

  1. He recorded calls? How the heck is he planning to escape jail? Seems to me many other security flaw researchers have done much less and been prosecuted…

  2. It's interesting to note that the enabling culprit here is Google Places, which has long been an opening for all sorts of mischief, entire due to the ridiculous manner in which its set-up.

    A couple of years ago, a client of mine discovered that a Google Places page existed for their business (an adoption agency) even though they had never created a GP page. They also discovered that the page had an incorrect phone number. Calling that number got you through to the actual agency phone number, but there was an obvious delay in connecting.

    They investigated and discovered that a marketer they had worked with had taken it upon themselves to create the GP page (Yes, under Google Places, you don't have to own the business to start a GP page for it.) The phone number rang into the marketer's office, then re-routed to the adoption agency. They were told it was just to measure phone traffic from the GP page, but, obviously, they could well have recorded conversations if they wanted.

    The agency went and created their own GP page (with the correct info, phone number, etc.) but, the way Google Places works is if there are competing pages for the same business, the data will slowly become blended, and somehow the "real" information wins out. It's nuts. Even after the marketer took down his GP page, the two GP pages remained blended for several months until the real page won.

  3. Nothing here really constitutes an attack against Google Maps, or any other Google service for that matter. It's just a demonstration of the sort of stuff you can do with them as currently provided.

    Using powertools to convert your truck into a tank a-team style isn't an attack on the hardware store.

    Might lead to one though.

  4. Just goes to show that this new-fangled Google stuff is no replacement for your good'ol, reliable Yellow Pages!

  5. micah says:

    I have a friend whose home phone number and building street address (but not apartment number) somehow ended up associated with the embassy of an African nation.

    It now shows up in Google Maps, Citysearch and Yahoo Local, but also in Superpages.com, Dexknows.com, Yellowpages.com, Switchboard.com and other phone directory sites. I haven't seen a physical phone book to see if it's listed there, too. The friend has absolutely no idea how his info came to be associated with the country in question.

Continue the discussion bbs.boingboing.net

13 more replies

Participants