Try to guess which one of these things isn’t true of Bryan Seely:
- Created fake Google Places pages for the FBI and Secret Service, listed phone numbers he controlled, intercepted their phone calls, and then turned himself in to the FBI to show them the security hole that Google left. (And he didn’t get shipped off to Guantanamo Bay!)
- Created a Google Places listing at the White House called “Snowden Super Secret Hiding Place,” and another called “Edward’s Snow Den.” (Among other pranks.)
- Spoke at TEDx about how easy it is to spam Google Maps, and how that hurts honest business owners and consumers.
- Found a weak spot in LinkedIn that allowed him to get Mark Cuban’s personal email address – and then let Mark know, and helped LinkedIn fix the problem. (Mark was happy, too: he asked if Bryan could help with his Cyberdust)
- Might have contributed to the recent shutdown of Google Mapmaker, as well as to a possible algorithm update.
- Grew up in Japan and speaks Japanese.
- Is a United States Marine.
- Wants to be buried in a KISS Kasket.
Bryan’s crusade for Maps sanity and better cybersecurity has brought him some press. He’s been featured in The Wall Street Journal, The Washington Post, CNN, Bloomberg, and elsewhere.
He’s the kind of guy who might just bring about the kind of change that’s bad for spammers but good for honest business owners.
As a concerned local-search geek myself, I’ve been following Bryan for a little over a year now – since he first started really poking Google in the eye. We had a good phone call recently, and decided to expand it into a full-blown interview.
Enjoy!
—
How did you go from being a decent guy mixed up with with spammers to being a champion of “the little guy”?
I had lost my job while in Southern California and with a young family, it was a bit difficult to be unemployed suddenly. The company I was working for decided to close their California branch and without warning, income was zero.
I ended up working for a company that engaged in the “map spamming” yet when I joined that was not immediately clear. Over time, it became apparent that I could not work in that industry anymore, and found myself working as a network engineer and systems engineer for a variety of companies up in Seattle. I moved my family to get away from all of that and start a new life up in Washington.
Fast forward a couple of years, I decided I wanted to see how the local search world was coming along and started to poke around to see if the same Google Maps vulnerabilities were as prevalent. I was kind of surprised to see that it was much worse than it was before.
The path at that point as not exactly clear, but I knew that I had to do something about it. I ended up writing up a variety of methods for building fake businesses online and sent them to Google. Their response, if you could call it that, was basic dismissal. I created some funny maps listings to poke at Google a little bit, some of which were pretty funny in my opinion. I contacted a local news station, Komo, and they ran a story about the entire spam problem.
Google still resisted the entire premise of the problem, and even after the whole “Wiretapping the Secret Service” incident, Google didn’t fix the underlying problems.
I translated the frustration of them refusing to acknowledge and fix the problem into what I have been working on for a year now. The recent TEDx talk, a book that is getting ready to come out, and as much attention as I can bring to this issue.
What’s some “ethical hacking” you’re doing now (and are at liberty to discuss)?
Currently, I have a few private clients that range from celebrities to corporations that value their privacy. There have been a few stories that I can talk about that happened over the last year or two.
The one I enjoy the most was also fairly simple. Brian Krebs wrote about it in an article, where I was able to use Linkedin.com to validate the email addresses of individuals who use the Linkedin.com system. I was able to get confirmation of the email address that Mark Cuban uses to login, and then I was able to get in touch with him to inform him of the vulnerability.
Mark’s immediate reaction was “what else can you do?” and he asked if I would be willing to work on his Cyberdust app. Since then, there have been a variety of projects in which disclosure would violate agreements, but if you would like to learn more about what I can disclose, visit seelysecurity.com.
You’ve been on Google’s radar (not to mention the Feds’) for about a year now. How much progress would you say they’ve made?
Until a couple of weeks ago, I would have said 0. When they shut down MapMaker, it was a huge victory for small business owners and consumers, being that MapMaker was a huge source of maps spam.
Hopefully, with the momentum that we have generated, we can get to the bottom of the problem and have Google see how big the problem is and decided to fix it.
Why hasn’t Google done more?
I think that they have an overall approach to technology and product development that involves using code, process and reduced overhead governing its development. Another main factor is that Google likes to “crowd-source” their information requirements, which require the public to contribute.
Google makes money in a variety of ways. Providing an amazing search engine, free email and other services that many people use, allows them to sell the end-users eyeballs to advertisers which generates huge money. MapMaker is failed crowd-sourcing experiment that was plagued by bad data and ultimately bad security restrictions to prevent bad data.
Google doesn’t want to have manual oversight over things, they want to implement code, algorithms, processes and procedures to govern their systems which I completely understand. The problem is that they did not do enough, and they didn’t seem to take suggestions from anyone outside of the organization.
What has to happen for Google to get serious about mapspam?
Google would have to find a way to verify the data that they are getting and ensure that it is actually legitimate, instead of trusting 100% of the users that are contributing to their system.
I identified many more solutions in my book, Exposing Maps Fraud, which comes out in the fall of 2015.
Could an algorithmic solution help? Or does Google just need to require the type of owner-verification you’ve suggested?
I don’t think that it will be the right solution for this problem. If Google is not comparing the data to local or federal business data, how will there ever be accountability? The whole point of registering a business and getting a business license is for accountability and to protect consumers. When people bypass this process and register with Google, there is no way of holding them accountable, as Google doesn’t police or perform enforcement of any kind. Criminals are registering businesses on Google with no risk of being prosecuted, and Google’s stance has been “head in the sand.”
When you and I spoke the other day, you said the spam problem on Yelp isn’t nearly as bad as on Google (and I agree). Why is that, and do you think Google needs to be more like Yelp in some way?
Yelp seems to have more people involved in the verification process right from the start, plus they don’t seem to partner with other directory services like Google does. Google gets business information from a ton of other sources that have the same “bad data” and maps spam problems. When they all end up sharing this data, the problem compounds.
Yelp doesn’t seem to just accept data from these other websites blindly, and I think that is a big reason why their service by comparison is virtually spam free.
What is the absolute lowest thing you’ve seen a mapspammer do?
I have heard of a few guys that would make keys for unsuspecting homeowners and then rob them when the homeowners weren’t home weeks or months later.
There are so many different “lowest” things, but the harshest thing I can think of is that these criminals organizations are so good at manipulating Google’s ranking system that they put small business owners out of business to where they can’t even support their family. The American dream of working hard, building up a client base and providing for your family is being taken from thousands of small business owners all over the country. I think that is easily the lowest thing I can think of.
What’s an industry that’s way spammier than most people realize? (We all know about the infamous trouble areas, like the locksmith space, plumbing, bail bonds, etc.)
Garage door repair is one that was surprising, but the one that didn’t make sense at first was Drug and Alcohol treatment centers. The ones that you end up seeing on Google Maps are not actually real call centers or clinics, but sell the calls to larger organizations who don’t care where they get the calls from.
How many of the hardcore spammers are behind businesses that basically do a good job for customers – and aren’t really offline thieves?
I would say that 95% of the spammers build these fake listings, and sell the calls to legitimate business owners or provide a decent service. When violent crime starts happening, the lifespam of the spammers go way down. It’s easier to not draw any attention to their fake network by performing a good service. If the consumer gets the service with no hiccups, then no one suspects anything is wrong. That’s how most of these organizations have stayed under the radar for so long.
How much of the really bad mapspam seems to be from for-hire SEO companies?
I think that these for-hire SEO companies make up 50% or so of the players at the lower levels. The largest organizations are not running a legitimate SEO operations at all.
Like I said before, map spammers try to stay covert and under the radar otherwise they risk losing their fake listings or getting prosecuted.
Besides Google, who has really dropped the ball?
WhitePages, SuperPages and Dex Media are practically all spam. Those directories are more spam than actual businesses.
As to what the government and other organizations can do, I detailed a lot of that in the book.
I’ve always found that businesses outside the US are a little less likely to spam, but if they do, Google doesn’t crack down on them as much. How would you describe the mapspam problem outside of ‘Murica?
Its very similar, but not as prevalent. Other countries have different regulations and business processes so trying to evaluate and learn all the laws of 200+ countries becomes very time prohibitive.
What are a couple of specific businesses you admire that are kicking spammy competitors’ butts from the high road?
One of the people that has been in this fight for a long time is Dan Austin. The problem with fighting spam is that there isn’t any money in fighting the spam. There are plenty of locksmiths that have been fighting against the spammers, Mark Baldino being one, but overall, it’s hard to beat these guys with Google taking their own side and doing virtually nothing.
You’ve talked about how spammers would buy fake Google reviews by the thousands. Has that situation improved at all, and what should Google do to clean up its reviews?
Most spammers are posting their own reviews using the same infrastructure they have for building the fake businesses. Some of them hire people overseas for a much cheaper hourly rate, or just pay local people to do the work. Most of the time, spammers realize they can get away with writing very lazy and sloppy reviews because the amount of time it takes to put effort into real looking reviews is quite high. It’s not that hard to write a 4 word review that says “Service was great, thanks!” vs a paragraph with sincere words.
Are those “reviews” obvious fakes, or are they pretty believable to the untrained eye?
Most of the time, fake reviews are very easy to spot. The easiest way to spot fakes is by looking at all the reviews on a specific business. If you see 10 five star reviews that are very vague or similar, and then several 1 star reviews that are much more detailed, you have probably found a map spammer. Real consumers will feel lied to and will often times leave a 1 star review to show that they are dissatisfied with the service. When the fake business performs well, there won’t be many bad reviews at all, so that makes them harder to spot.
(Phil note: read this great old post by Nyagoslav on how to sniff out fake reviews.)
What’s your reviews-strategy advice?
Make a point of asking politely for a positive review at a specific point once the service has been rendered. Provide a great service, and tell them that you value their reviews and it will help fight against the fake spammers.
Telling consumers that this problem exists and that you are fighting against it helps to get the appropriate willingness to help.
There are many rules when it comes to asking for reviews / offering discounts in exchange for them. I would encourage business owners to understand them and follow them.
What’s your advice to business owners who are up against spammers? What steps should they take?
Get organized, and find time every single day to flag the spammers, but only after you have determined that they are not legitimate. Checking with local / state directories to make sure that you are flagging illegal businesses is critical.
You wouldn’t want to flag a real business just because you think they might be spam.
I will be launching a service that helps business owners with this process, and saves them the time of flagging and checking whether or not the business is legitimate.
How about your advice to local SEOs?’
Don’t fall for the temptation of resorting to black hat or grey hat techniques to get ahead. The stress on me built and built and nearly cost me everything.
Do good work, beat the streets and deliver results. Read more about the products you are working with, learn the techniques you need and apply them without taking shortcuts. Eventually “karma” catches up to everyone, and I would encourage everyone to abide by the rules.
I was a part of the problem in one industry and now I get to fight against it in all of them. I will not turn a blind eye when I see someone being taken advantage of.
What kind of simple due-diligence should consumers do every time they’re researching local businesses?
You should be able to look up the business name, DBA name, and key business information in a state business license search when trying to ascertain the legitimacy of a business. This is the first place to look.
Check to see if the business actually exists at the location it proclaims to be at.
Remember, sometimes there are typos or a business has a trade name or other things that might look fraudulent, but it could just be a mistake. You don’t want to take down a real business owner’s livelihood because you are angry. The cycle has to end.
How can someone reading this join the fight against mapspam?
Join my mailing list at seelysecurity.com to receive information about how you can fight against map spam, and follow me on Twitter @bryanthemapsguy
What are some posts / books / other resources that anyone concerned about mapspam should read?
My TEDx talk “Wiretapping The Secret Service Can Be Easy & Fun”
The first Komo story I was part of (link).
Stay tuned for the only book on the subject, coming out soon.
I know you do do a lot of cybersecurity consulting that has nothing to do with mapspam. What’s some cybersecurity advice you have for anyone reading this?
Passwords! You don’t have to make them hard to remember, just make them as long as possible. For example: P@ssw0rd!%123 that is a hard to type password, and hard to remember. This one is harder to break, but easier to remember: Mydogcannotplaytheharmonicaworthadamn!123 You can use phrases instead of keywords, and computers are trained to substitute numbers and symbols for letters when cracking passwords. The longer the password is, the harder it is to crack.
Use 2-factor authentication on Gmail, Dropbox, or whatever services that you use online. Period.
Don’t shop online or do banking on public wi-fi, like at Starbucks. Just don’t.
Change passwords on your home devices like you would change your oil, regularly.
Update your antivirus software and don’t download stuff from people you don’t know. That’s the 2015 version of “don’t take candy from strangers.”
Most of the places you are getting malware and spyware come from websites that are the result of searching for pirated software, pornography, or “earning money working from home,” etc. These websites try to lure you into downloading their “coupon printer” or money saving toolbar which ends up being a virus or something. Word to the wise: stick to the main road.
You’ve mentioned that you’re concerned about people’s online privacy (or lack thereof) in general. What battles are you fighting on that front?
Right now, a couple of startups that are in the early stages of product development that will be hyper focused on consumer privacy and advocacy.
Tell me about the book you’ve got coming out.
The book details the entire ecosystem of fraud and scamming that is happening in the online maps world. Google Maps, Bing, Yelp, and the various other websites that you use to find local businesses are not the convenience and safe havens for innovation that most people see them as.
Spammers have found numerous ways to game the system and make a ton of money in the process. They are taking advantage of consumers, business owners and no one is really doing anything about it. I talked about it in the TEDx talk back in April, and the book will address all of the various pieces, how it works, and even detail HOW the scammers are doing it.
The hope is that Google and other websites will have to take action to fix this once and for all, and consumers and business owners will stop losing money, time, and their livelihoods.
As a Devil Dog, you support your fellow Marines and veterans. What’s the best way for someone reading this to help out?
To help with Marines and other veterans, There are a number of places I would suggest donating your time and/or money:
The Wounded Warrior Project (woundedwarriorproject.org)
Donate your time to the VA (volunteer.va.gov)
(Phil note: there’s also my Visibility for Veterans program.)
Can someone reading this hire you to help in any way?
I am available to be contacted via email (bryan@seelysecurity.com) or you can fill out a contact form on seelysecurity.com.
My main business focus is cyber-security consulting, which involves “ethical hacking”, PCI and compliance auditing, as well as doing infrastructure and project based work as well. I have been a high end voice over IP (VoIP) guy for a while, as well as a network engineer and consultant for a while, so whether its deploying something new, upgrades, or troubleshooting, I am pretty comfortable with just about anything you can throw at me.
Lately I have been getting a wide variety of work, especially “I have been hacked, can you help” type stories. People see me on TMZ or other outlets and reach out with questions, and I am more than happy to answer.
By the way, on June 24th I will be teaching a cyber-security workshop at the Global Fund Forum in Bermuda. Feel free to connect with me there, if you’re planning some shore leave in Bermuda 🙂
—
Thanks to Bryan for a great interview. I suggest checking out his site, getting on his email list, and following him on Twitter.
He can even make you a snazzy “Edward’s Snow Den” t-shirt.
Any questions? Got a painful mapspam story? Leave a comment!