While many professionals will claim that this particular attack vector is not related to Negative SEO, because it takes place solely on third-party services, there are defined negative SEO ramifications for the victim’s website. We’ll get into these in a moment.
While effective action of this type against a target company will usually take some thought and preparation, the consequences of a concerted directory editing campaign can effectively cripple the target company’s visitor traffic and revenue from the affected directories.
Because the ultimate aim of this attack vector is to carry out unauthorized and negative changes to your target’s business and website listings on third-party sites and directories, there are usually some prerequisites which need to be in place before you can confidently initiate your attack.
For the purposes of this guide we will use the “Google My Business” (GMB) system, since it’s easily the most compromised and vulnerable against Directory Edit Attacks.
Breakdown of a Directory Edits Attack:
Step #1: Preparation
The level of preparation required for this vector will largely depend on the type of edit you’re planning to make. If you’re planning to do something simple, like moving a local business’ Google Maps Pin, then all you need is a sufficiently high rank as a Google Local Guide¹ and maybe a way to competently Photoshop images and/or rewrite/spoof image EXIF Data.
If, on the other hand, you want to change vital details on your target’s business listing, such as website URLs or phone numbers, you’ll need to get a little more creative, since Google now requires a certain level of “ownership verification” before it lets people make arbitrary changes to a Google Maps Business Listing.
With that said, circumventing this step is still laughably easy with a little thought and creativity, at least when it comes to messing with ordinary, local business listings².
As with our other deep dives into the various Negative SEO Attack Vectors, we won’t be going into detail about the means by which Google’s ownership verification setup can be negated. ArcLite SEO Solutions is raising awareness, not trying to produce easy to follow “How to…” guides.
Suffice it to say that we’ve conducted successful tests within the month preceding the writing of this piece.
Step #2: Changing Your Target’s Google Maps Listing
By far the easiest and most common and effective way to torpedo a competing business in the Google Maps ecosystem is to create a large number of Negative Reviews. However, this vector will be covered in its own separate guide, so we’ll focus on the actual editorial aspects of this particular attack vector.
Here, the most frequent approach is to move a competitor’s Google Maps pin to a wrong location. A pin-move to even the next street over can have a huge impact on any company which relies on foot-traffic for revenue. Another favorite approach is to post photos containing the attacker’s own contact details onto the target’s “My Business” listing.
Less common but arguably far more detrimental are the “Listing Hijack” attacks which take full control over the target’s Google My Business listing, and change vital contact information to that of a rival business or spam/phishing operator.
Imagine for a moment how much revenue will be lost by a company which relies on web traffic or phone calls through Google Maps, if an attacker changes the website URL or contact phone number in the GMB system itself.
There’s no question about “Directory Edits” becoming a Negative SEO attack vector at that point.
Defending Your Business Against a Directory Edits Attack:
As is the case with most NSEO attacks, there’s no real way to reliably prevent them, in most cases.
Worse still, it can and usually does take months to undo the damage done by this type of attack, since the Google Maps system is notoriously sluggish and rigid when it comes to correcting malicious actions which take an attacker comparatively little time to conduct.
Even doing something as “simple” as correcting an incorrect maps pin or removing spam imagery from your listing is a protracted and frustrating process.
About the best preventive action to take is to keep close track of your GMB listing for pin, website, phone number changes, etc. and to train your staff not to approve every “GMB Listing Ownership” request which hits their inbox.
While you have full control over your listing, you at least have some way to remedy the damage. If you lose control over it, trying to regain ownership can take months, and most businesses can’t survive that long.
On that note, we’ve seen a pronounced rise in “Google My Business Listing Hijack” and “GMB Listing Suspension” attacks during the course of 2024, mainly carried out by much larger competitors against smaller ones.
This trend alone should make keeping control over your Maps Business Listing a top priority for any small and medium business owner/operator.
¹ Level 6 or above will usually be sufficient.
² It’s perhaps needless to say that small and medium local businesses are by far the most affected by this type of malicious directory editing, and that attempting this type of attack against a large, regional or national company will be futile.