As a business owner, the last thing you want is for a potential customer to search Google for your business and find a lewd image.
The way your website appears to searchers is incredibly important to your brand reputation and trustworthiness. Search engine optimization (SEO) professionals constantly experiment with ways to satisfy Google’s secret and mysterious algorithm.
While some professionals study SEO to improve their content and play nice with Google, SEO can be used maliciously. We see this most evidently with website SEO spam infections. Black hat SEO aims to manipulate Google’s algorithm to improve rankings or harm competitors.
Malicious Image in Google Business Listing
A client recently submitted a malware removal request to have us clean up their site. After our incident response team conducted a full review, we were unable to find malware on the site.
When we asked the client for more details, they told us about an image coming up in Google next to their website.
The team confirmed the image wasn’t hosted or linked on the client server.
As the resident SEO at Sucuri, I was asked to assess the situation and offer advice.
Removing an Inappropriate Image from Google
The image was coming up in the Google Maps Images section for the business. This section is part of the Google Places API, governed by Google My Business (GMB).
To remove the image from their business listing, I immediately flagged the image as inappropriate in Google Maps. According to the customer’s ticket, the team had already done this. Just like any abusive content, anyone can help out by using the flag icon or by reporting a problem link in Google Maps. These reports take time for Google to manually review.
As a business owner, you can take these steps:
- Log in to Google My Business (or sign up).
- Go to Locations and pick the business in question.
- Click on the Photos section.
Review and remove any unwanted photos.
Let’s look at why this happened, and what you can do to prevent it.
The Knowledge Graph
Google uses machine learning to collect facts, data tables, and media assets that improve the quality and relevance of their search results. This is evident in the way Google continues to show more featured snippets, carousels, and business listings. The aim of this is to help users quickly find what they are searching for using rich media.
When it comes to people/places/things, Google maintains a massive database to draw from. Here is how Wikipedia describes it:
The Knowledge Graph is a knowledge base used by Google to enhance its search engine’s search results with semantic-search information gathered from a wide variety of sources.
The knowledge graph includes a lot of the organic content you see in the sidebar on Google Search. This includes rich content and data, for example Google Maps, Wikipedia snippets, and “People Also Search For” boxes.
In order to abuse this aspect of Google search, the bad actor would have to find a way to plant an image in the Knowledge Graph.
User Generated Content
One of the strengths of Google’s Knowledge Graph is that it accepts user-generated content. We see this most evidently with ratings and reviews in Google Maps.
Maybe you already know this, but anyone can upload images to Google Maps.
The web spam team at Google does a fantastic job of combating SEO spam and flagging hacked sites. This keeps their users safe. When it comes to images, there isn’t as much risk to their users.
Google is satisfied with allowing an algorithm choose an appropriate Google Maps, which includes photos taken by users. Sometimes Google will show the most recent photo in its Knowledge Graph, which was probably the case for our client.
Protecting Your Google Maps Images
Much like Google Search Console, Google My Business (GMB) is an important tool for any website owner with a local business.
First, make sure your business is verified with Google My Business and regularly check the Photos section for unwanted images. You should also add multiple photos of your business to all 4 sections:
- Identity photos
- Photos at work
- Team photos
- Additional photos
Second, make sure you have a profile photo for your company’s Google Plus page. Many businesses use their logo, but unfortunately these do not pass Google’s local image submission guidelines. This algorithm will also favor real-world images over stock photos. As long as your photo passes the guidelines, the Knowledge Graph will favor the Google Plus profile photo over user-generated photos.
In many ways, this is a lot like defacing a website. The intention is to tarnish the reputation of the victim; there is no monetary benefit for the attacker. It might be a competitor who did this, but likely it’s just a kid with nothing better to do.
It’s possible that an attacker could automate the process of defacing Google Business listings by using the Google Places API to submit photos. Like with SEO spam, the attacker could send fake hits to the spam images, which makes it seem like they are popular with Google users.
In fact, Google My Business just launched new Insights for Google Maps Photos to give business owners some data about image views, including benchmarks against similar businesses. This indicates that Google puts some emphasis on user activity, and may influence which photos show up next to your business.
As someone who tries to help people understand SEO spam and protect Google Analytics from referral spam this makes me wonder what’s next for web spam. If you have thoughts about this, I’d love to hear them. Tweet us @sucurisecurity or me @artdecotech!