It’s no secret that people think Google Places for Business listings are primed for spam. But the latest debacle making headlines involves an example of just how dangerous those spam listings could be.
Network engineer Bryan Seely intentionally created fake listings for the FBI and Secret Service that showed up in Google Maps, then he showed how easy it was to cause potential damage. The results have since been taken down, but a reporter at Valleywag grabbed screenshots before they were:
When these listings were live, unsuspecting citizens called up the fake numbers in the fake listings, and here’s what happened next, as reported by Valleywag:
The callers that Seely recorded thought they were speaking directly to the government agencies because they looked up the telephone number on Google Maps. What they didn’t know was that Seely had set up fake listings for the San Francisco FBI office and Secret Service in Washington, D.C., displaying numbers that went to a phone account he set up rather than the federal offices. After Seely’s numbers received the calls, they were seamlessly forwarded to the real offices the callers were trying to reach, only now the audio of their conversations with real federal agents was being captured by Seely.
Seely said Google had known about this problem for some time, but ignored his request to fix the issue. So he marched over to the Secret Service offices in Seattle one day to show just how vulnerable this loophole could make the FBI and Secret Service.
But after routing a few calls through the fake listings to the government organizations, it didn’t take long for the Secret Service to figure out something was going on. While at the Secret Service office, he “got a notification on his phone that a call had just been intercepted: It was a Washington, D.C., police officer calling the Secret Service about an active investigation,” reported Valleywag.
Seely was read his rights and interrogated that day, but after just a few hours, was released and even reportedly called a “hero” for discovering the loophole.
Creating those fake listings wasn’t particularly hard, Seely told Valleywag. He said he used a combination of Google’s Map Maker tool and Places for Business. And, when he was at the point of verification, he opted for the phone option because “the way that these people build these computer systems is assuming that no one wants to do more work—assuming everyone wants the easy way out. So if you choose the easy way then we don’t trust you, if you choose the harder way and verify by phone immediately, ‘Oh you must be a person and you must be legit.'”
Google told Gizmodo it had made updates since then to help combat this problem:
“It was brought to our attention that an individual was creating fake business listings in Google Maps. Although these listings do not appear prominently on the map, we take problems like spam very seriously, and appreciate when the community flags issues so we can quickly resolve them.”
But will Google be able to fix the whole problem once and for all? Seely told Gizmodo that there are more than 100,000 fake listings for locksmiths alone. Here, Gizmodo paints of picture of how these fake listings can be played out:
So say I’m a locksmith and I want a little more business. My ranking is too low when you search “locksmith near [my neighborhood]” on Google Maps; no one ever clicks on me. If I find the right scammer, I can boost my presence with a couple more (non-existent) locations. Or even better, I can have a scammer change my competitors’ numbers so that the calls forward to meinstead. All I have to do is pay a scammer $50 or so per call. But hey, that’s just the cost of doing (shady) business.
Seely told Valleywag that the small business is the one suffering here, but that he suspects Google won’t make cleaning these listings up a priority. Whether or not that’s the case, the high-profile nature of this particular instance of spam and the involvement of the government may just make this loophole a primary focus for Google.