A partnership between computer scientists at the University of California San Diego and Google has allowed the search giant to reduce by 70 percent fraudulent business listings in Google Maps. The researchers worked together to analyze more than 100,000 fraudulent listings to determine how scammers had been able to avoid detection—albeit for a limited amount of time—and how they made money.
The team presented their findings at the 26th International Conference on the World Wide Web in Australia earlier this month.
The computer scientists identified what they describe as a “new form of blackhat search engine optimization that targets local listing services” such as Google Maps. They also describe how these scammers were able to make money.
“Location-based search is increasingly becoming the way people interact with online content—even if you’re not using a mapping application,” said Alex C. Snoeren, a professor in the Department of Computer Science and Engineering at UC San Diego and a senior author of the study.
For example, when people run a search on their mobile phone, the search engine uses their physical location as one of the inputs to decide which results to display, Snoeren explained.
The scammers take advantage of this by using fake locations to make it look like their business is in close proximity to the user doing the search. This was particularly true of on-call contractors, notably plumbers and locksmiths. Researchers found that 40 percent of all fake listings on Google Maps belong to that category.
“I might find seven listings for locksmiths in my neighborhood,” said Danny Huang, the paper’s first author and a Ph.D. student in computer science at the Jacobs School of Engineering at UC San Diego. “But in fact, none of those listings are real.”
In all, researchers found that 11 percent of overall search results for locksmiths were fraudulent. In New York, that percentage went up to 15.6 percent. And it went up to an astonishing 83.3 percent in West Harrison, New York.
Scammers are able to make money when they get called to help a user based on a fake listing. Scammers might quote a low price when called on the phone, only to charge a higher fee when they show up. They might not be licensed but get the business anyway.
In another scheme, scammers set up fake pins for real hotels or restaurants on Google Maps. They set up websites where customers make reservations, which are connected to the business’ real website or to a travel agency, which is not part of the scam. This allows scammers to make money either by getting a commission for each reservation or for referring traffic to the businesses’ real websites. The researchers found that roughly 13 percent of the fraudulent listings had real hotel and restaurant addresses, but were not created by these businesses.
All these fraud schemes were possible primarily because scammers found a way to get around Google’s verification process.
Businesses can register for Google Maps online for free. But before a listing goes live, Google sends a postcard with a verification code to the business’ address. The business inputs this verification code and the listing is then approved to go live.
Partly thanks to these measures, Google is able to detect 85 percent of fake listings before they even appear on Google Maps. The fake listings that make it past the verification process are taken down within an average of 8.6 days between creation and suspension.
Scammers got around verification requirements mainly by leasing PO boxes and using those addresses to receive their verification codes. They also added fake suite numbers to a specific address so Google wouldn’t get suspicious about a large number of businesses located at the same address. Researchers note that there are legitimate reasons for a large number of businesses to have the same address—big office buildings in Manhattan come to mind.
Researchers also noted that a large percent of fraudulent listings changed their address or the category they belonged to (from hotel to locksmith, for example) after verification.
To tamp down on abuse, Google has taken a number of measures, which the company details in a post on its research blog. Steps include: prohibiting bulk registration at most addresses; preventing businesses from changing their addresses to a location that is impossibly far from the original without additional verification; and detecting and ignoring intentionally mangled text in address fields designed to confuse Google’s algorithms. The company also fine-tuned its anti-spam machine learning systems to detect data discrepancies that are common in fake or deceptive listings.
The research was partially funded by a grant from the National Science Foundation.
*D.Y. Huang, D. Grundman, K. Thomas, A. Kumar, E. Bursztein, K. Levchenko and A.C. Snoeren, “Pinning Down Abuse on Google Maps,” Proc. of the International Conference on World Wide Web (WWW), April 3-7, 2017, Perth, Australia.