Google Maps' spam problem presents genuine security issues


Bryan Seely, a Microsoft Engineer demonstrated an attack against Google Maps through which he was able to set up fake Secret Service offices in the company's geo-database, complete with fake phone numbers that rang a switch under his control and then were forwarded to real Secret Service offices, allowing him to intercept and record phone-calls made to the Secret Service (including one call from a police officer reporting counterfeit money). Seely was able to attack Google Maps by adding two ATMs to the database through its Google Places crowdsourcing tool, verifying them through a phone verification service (since discontinued by Google), then changing them into Secret Service offices. According to Seely, the disabling of the phone-verification service would not prevent him from conducting this attack again.

As Dune Lawrence points out, this is a higher-stakes version of a common spam-attack on Google Maps practiced by locksmith, carpet cleaning, and home repair services. Spammers flood Google Maps with listing for fake "local" companies offering these services, and rake in high commissions when you call to get service, dispatching actual local tradespeople who often charge more than you were quoted (I fell victim to this once, when I had a key break off in the lock of my old office-door in London and called what appeared to be a "local" locksmith, only to reach a call-center who dispatched a locksmith who took two hours to arrive and charged a huge premium over what I later learned by local locksmiths would have charged).

A detailed post by Dan Austin describes this problem, points out that Google is more than four years late in delivering promised fixes to the problem, and offers solutions of his own. He suggests that the high Google Adwords revenue from spammy locksmiths and other services is responsible for the slow response to the problem.

All of this ends up costing real local businesses their business, he says. Search for "locksmith in Denver, CO" in Google Maps, and you get more than 600 results. Virtually none of them, Austin says, are for licensed local locksmiths. Instead, your search for someone to get you back into your car in Denver pulls up numbers for a fake local business. Your call gets routed to a center somewhere far away, someone who's not necessarily a licensed locksmith gets sent to help you, and charges you far above what you were quoted over the phone.

Austin says that Google's inaction stems from the fact that the company is actually making money off the scammers through sales on Google AdWords for search terms such as "locksmith."

"Google's basically getting a not insignificant amount of their income from scammers—if you look at locksmiths, 99 percent of them are scammers," says Austin. "It's an investment of time and energy and resources to actually go through and verify all the legitimate locksmiths in the U.S. Google doesn't really want to get into it—they don't see it as a security issue."


How Scammers Turn Google Maps Into Fantasy Land [Dune Lawrence/Business Week]

(via Hacker News)