Personal Tech

'Google cannot stop it, control it or curtail it...' Inside the murky world of fake addiction treatment center search spam

Is that listed phone number going direct to a professional or a call center?

Special report Addicts seeking substance abuse treatment are being deceived by phony medical clinics advertising on Google's business directory system – and the web giant seems unwilling or unable to fix the issue.

An investigator who asked to remain anonymous provided The Register with research detailing online advertising in the substance abuse treatment industry, including a review of Google search results listings and how they're informed by Google My Business data, which companies provide about themselves to identify their store locations and hours. It appears that many of these are just front organizations, intended to pick up people desperate for care and with the insurance to pay for it.

In terms of Google search ads, the substance abuse treatment industry – alcohol and drug detox facilities – is governed by standards set by Google, a contracted certification body called LegitScript, and a trade group, the National Association of Addiction Treatment Providers, because addiction can have serious health consequences, particularly when complicated by bad information.

The data provided to The Register suggests search results pages related to substance abuse are filled with bogus listings created by lead-generation companies – marketing firms trying to attract clients for addiction treatment. The idea is to get potential clients to call one of these fake treatment centers so the call can either be routed to a spammer-affiliated facility in the local area – or sold to a local provider.

In effect, spammers flood legitimate facilities off the map by blanketing the search results with fake listings that ultimately lead back to just one or two centers that actually physically exist. Thus, when someone tries to turn to a professional for help with their addiction, they invariably walk into the arms of the spammers.

Fakers are winning out

Among Google My Business (GMB) listings, which surface in the Maps and local searches, the top 20 results on June 3, 2020 for the keywords "alcohol detox," according to our source, included eight real businesses and 12 fake ones. Among the top seven, the most likely for users to engage with, only two were real.

The investigator, and another researcher who asked for anonymity due to lack of authorization to speak to the press and concern about spammer retaliation, identified more than 500 Google My Business spam listings in the substance abuse treatment market. These have been reported to the internet advertising goliath, and some have been removed though more are expected to follow.

Examples of spammy Google Maps search results for treatment clinics in the US, annotated by a Register source ... Click to enlarge

Every spam listing that buries a legitimate organization lower on the search results page does at least some economic harm to the affected outfit, and has the potential to steer vulnerable patients toward subpar care.

Looking more specifically at 136 treatment providers in America – scattered across Orlando and Miami in Florida, Columbus in Ohio, Colorado Springs in Colorado, and Seattle in Washington – 11 were not certified but nonetheless advertising with Google Adwords, many with outdated LegitScript seals on their websites – LegitScript's seal is programmatically generated by a JavaScript call to LegitScript server and thus should not be an outdated static image.

This is not a new problem for Google. Last year, The Wall Street Journal reported on the millions of fake listings littering Google Maps, and the problem dates to at least 2007.

Nor is it new to the substance abuse treatment industry. In 2001, before most people had heard of Google, shady marketing practices for detox centers showed up in the Yellow Pages – for our younger readers, the Yellow Pages was a printed listing of businesses.

In a phone interview with The Register, Joe Youngblood, a digital marketer who runs an SEO firm based in Texas, said Google has never really taken local search seriously. When former exec Marissa Mayer went from veep of search to veep of local listings, he said, the view among industry insiders was that she'd been put in the dungeon.

"I think Google cares, I just don't think they care enough," he said.

To demonstrate the gap between Google Maps listings and reality, the investigator presented The Register videos, images, and screenshots related to a substance abuse treatment company called White Sands Treatment Center, which is based in Fort Myers, Florida, and has multiple locations throughout the state.

The investigator's materials, right now being reviewed by LegitScript, document three White Sands locations – Longwood, Winter Park, and Orlando in Florida. They show decidedly different facilities than those depicted in the pictures uploaded to Google My Business listings. This doesn't necessarily impugn the legitimacy of all White Sands facilities, but it suggests a violation of Google's advertising policies. The Longwood facility, for example, appears on Google to be a sizable office building.

White Sands' Longwood location on Google Maps

The investigator's material indicates the facility is one of 11 offices in the building: suite 101, a 380-squarefoot space renting for $649/mo. What's more, the investor's video includes an interview conducted in June 2020, with the tenant next door, an employee for a chiropractor's office, who denies having seen anyone at the White Sands Longwood office since it opened in September 2019.

The situation is similar at other two locations, where what's advertised does not match the actual facility. The investigator's conclusion is that these locations do not provide the level of substance abuse treatment they claim, and that they appear to exist for lead generation – so people using Google Search and Google Maps will find the listings, call the advertised number, and be routed to another facility or provider.

Follow the money

Lead generation – attracting new customers – is particularly profitable in the substance abuse treatment industry, where clients looking for help with their addiction can be worth tens of thousands of dollars over the duration of treatment. Buying related keywords can be expensive – about $22 per click for "alcohol rehab" currently – and a sales lead or conversion can cost hundreds of dollars. The investigator we spoke with put the cost of purchasing a call from an interested client at $400 recently.

As a result, there's a strong financial incentive to game Google's systems to attract customers. Many companies do so legitimately, through Google-approved search engine optimization practices (SEO); others so by means of deceptive SEO, which involves spamming search listings and related practices.

The Register tried to contact White Sands Treatment Center to ask about how its facilities appear in Google search results. A call to the general number went to voicemail and remains unanswered. A call to the admittance number led to being forwarded to the voicemail of a woman who said she had left the company in June.

The researcher who helped gather and analyze the materials we reviewed claims that White Sands has engaged in a pattern of policy-violating SEO – spamming – to get people to call its facilities. Our source alleges that there are multiple purportedly independent treatment center websites appearing in Google search results that simply generate leads for White Sands, thanks to OverTheTop SEO – OTT lists White Sands as a client on its case studies page.

As an example, the investigator cited a search in Columbus, Ohio, that led to a listing titled "Alcohol Withdrawal Detox Center of Ohio," which since being identified appears to have been taken down. The investigator claims the address is actually a residential condo and the number accompanying the listing, when called, was answered by a White Sands representative in Florida.

When we tried calling the number, a voice message said to hold for an addiction treatment specialist. The person who answered said he was in Florida but insisted he wasn't with White Sands, without identifying any actual corporate affiliation. The Register tried to contact OTT SEO to ask about its SEO practices but no one has responded to our inquiries.

We asked the National Association of Addiction Treatment Providers whether it could provide any insight into White Sands, a National Association of Addiction Treatment Providers (NAATP) member. Peter Thomas, the association's director of quality assurance, said the organization could not discuss individual centers but acknowledged that deceptive marketing practices have been a major problem in the past few years.

"We’ve made significant progress in this area, and also recognize there is much more work to be done," he said in an email. "Many of the practices we were seeing have subsided, but with that, we see a handful of companies shifting their practices to exploit new loopholes or evade detection.

"It is sickening that in a field dedicated to helping people, there are those who continue to exploit a vulnerable population for personal enrichment, and by doing so not only undermining the recovery of those directly impacted, but also erode public confidence in the field making it less likely that those who need treatment will seek it."

Look, we're trying

A Google spokesperson told the The Register the company receives 20 million content contributions every day, and in 2019 removed more than four million fake business profiles due to "refinements in our machine learning models and automated detection systems." The search giant also said it removed more than 258,000 user-reported business profiles and disabled more than 475,000 user accounts.

The Register asked Google whether it could provide details about the rate at which fake profiles are being created, which would provide more insight into whether progress is actually being made. We've not heard back about that.

In any event, the spam continues. The researcher we spoke with said, "The major issue with this sort of spam is that Google cannot stop it, control it, curtail it, or keep their platform protected at all."

Earlier this month, there were reports that spam promoting dubious garage door businesses is out of control:

Last year, it was locksmith store spam. And car accident lawyer spam.

In a post about the situation, Doug Bradley, who runs a legal market SEO firm, noted that Google eventually cleaned up the car accident attorney spam listings, but left his main question unanswered: "How is it possible that these listings often make it into the top '3 Pack' of Google local results, displacing legitimate law firms who’ve been around for decades?" he asked.

Content policing problems extend beyond Google's ad ecosystem. Malware is a persistent issue in the Google Play Store, and the Chrome Extension ecosystem has been rife with abuse, too. All the major social media platforms, like Facebook and Twitter, wrestle with the issue, without much success.

Part of the problem is unwillingness to hire enough employees to impose a degree of order that automated systems have been unable to provide. Chrome Extension developers have gone so far as to propose unionizing, and lately have asked Google to implement paid support because they're tired of being ignored.

In advertising, where Google makes the vast bulk of its money, the financial resources for hiring staff are there. And yet the Chocolate Factory invests elsewhere.

Pay peanuts...

Youngblood observed that much of Google's customer service for its ad products comes from volunteers who post to the Google product forums. Local SEO agency owners, he said, volunteer to help people with reporting abuse but there are limits to what they can do. Google maintains that most of its business search listings are fine, even as it acknowledges there are problems.

"We know a small number of bad actors try to game our platform by adding fake business listings," Google's spokesperson said. "While fake business listings are a small percentage of the overall business profiles on Google Maps, we take the issue very seriously and monitor closely for scams, especially as it relates to sensitive business types such as healthcare facilities.

"As we shut bad actors down, they change their techniques and we adapt our responses, using a combination of people and technologies to detect and remove unwelcome content.

"While we’re constantly improving our automated systems, we know they’re not perfect as fake listings can slip through from time to time. So we also deploy teams of trained operators and analysts who audit Business Profiles and contributed content both individually and in bulk. We also provide a way for anyone to flag misleading places for removal."

Google's answer echoes Facebook's response to hate speech – we're not perfect but we're working on it. Yet those interviewed by The Register aren't asking for perfection; they want enough effort just to move the needle.

"I believe people continue to utilize these [rule violating] techniques because it's low effort coupled with very high rewards," said Itamar Blauer, a digital marketer based in the UK, in a message to The Register. "The ease of changing a verified GMB listing's name to include keyword spamming, for instance, seems to always be given the green light through the systems, and I believe this is part of the reason why instances like these are so prevalent."

Blauer said the GMB system is very easy to rig, noting that not long ago there was even an exploit that allowed third-parties to remove the listings of verified business owners. Back in 2017, The Philadelphia Inquirer wrote about how this exploit was used to hijack business listings in Google searches from patients seeking addiction treatment.

"For as long as I can remember, these 'black hat' practices are still working, and Google doesn't seem to have an answer to these quick wins that actually thread the needle," said Blauer.

Peter Thomas, with NAATP, insisted in a phone interview that there's been significant progress in the substance abuse treatment industry over the past three years. "The biggest challenge is a handful of bad actors," he said. "It's become a bit like Whac-A-Mole. We see a problem, we address it, and there's a shift to new tactics."

For years, the internet giants have held on dear to their get-out-of-jail-free card. Here are those trying to take that away


Thomas acknowledged that much of that progress depends on Google, noting that about 90 per cent of internet searches for treatment go through Google Search. "I would say the biggest challenge is there's not a lot of transparency in what Google does or what they're doing," he said.

As an example, he pointed to Google's decision to put a listing for the US government's Substance Abuse and Mental Health Services Administration (SAMHSA) website at the top of organic search listings related to substance abuse treatment. A spokesperson for SAMHSA was not available to comment.

"We found out about it after they rolled it out and there are major flaws in the system," he said, reprising complaints from people we spoke with about the promotion of a government website in webpage real estate coveted by legitimate treatment providers. With most searches now being done on mobile devices, the SAMHSA banner topping the page, and the map listing after that, Thomas said, "it incentivizes bad practices." He characterized the SAMHSA placement as "a step back, even if it was implemented with the best intentions."

Intentions aren't enough. Google clearly intended to make it more difficult to create fake business listings by giving business owners the option to verify listed addresses by responding to a postcard sent to the address.

According to Youngblood, local classified websites like Craigslist regularly carry ads offering to pay people to use their home address, which then becomes part of a fake business listing. The ads ask the address owner to receive a postcard from Google and to take a photo of it and send it back. So much for verification. If anyone at Google wrote code with that kind of lax error checking, they'd hear about it from a manager.

To illustrate the tepidness of Google's response to GMB spam, Youngblood pointed to GMB Scanner, a Chrome extension created recently to flag inconsistencies in GMB address listings. Google, he said, easily could have implemented something like that but it hasn't.

Thomas said it's important to keep in mind that those spamming business listings only represent a small portion of the industry and should not discourage people from seeking care that they need.

"We've seen that algorithms and people have the same shortfall: Every time there's a change, bad actors work around it quickly and it takes time to catch up," he said. "Really, the solution is bringing addiction treatment in line with other healthcare fields where these practices are unacceptable." ®

Send us news

It's 2021 and a printf format string in a wireless network's name can break iPhone Wi-Fi

Hope no one's created guest networks called '%Free %Coffee at %Starbucks'

Joining a Wi-Fi network with a specific sequence of characters in its SSID name will break wireless connectivity for iOS devices. Thankfully the bug looks to be little more than an embarrassment and inconvenience.

On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named "%p%s%s%s%s%n".

The offending name is made up of good old C language printf()-style string format specifiers. On iOS, they are handled by Apple's open source CFString framework, available to those writing Objective-C or Swift applications. CF stands for Core Foundation; CFString is a C API in macOS and iOS.

Continue reading

Ex-NSA bigwig Chris Inglis appointed America's national cyber director by Senate

Plus: Impact of ransomware payments, CVS database not secured

In brief Chris Inglis was last week appointed America’s national cyber director, responsible for coordinating the government’s computer security strategy and defending its networks. The former deputy director at the NSA, who spent nearly three decades at the agency, was approved by the Senate on Thursday.

The United States has been lacking a government computer security chief since President Trump eliminated the position of cybersecurity advisor to the National Security Council in 2018, then held by ex-NSA exploit extraordinaire and Christmas lights enthusiast Rob Joyce. Inglis’s appointment bodes well for Jen Easterly, a similarly experienced candidate for the job of Director of the Cybersecurity and Infrastructure Security Agency (CISA).

The Biden administration has made online security a priority — or at least announced it as such by executive order. How effective this will be remains to be seen, but the Senate moving for experts rather than partisan hacks is an encouraging sign.

Continue reading

EU court rules in Telenet copyright case: ISPs can be forced to hand over some customer data use details

Belgian firm must produce the IP addresses of BitTorrent users

Europe’s top court has ruled ISPs can be forced to hand over the details of customers who are alleged to have downloaded material illegally online - but only if they meet certain criteria.

That’s the latest judgement in another case involving Cyprus-based Mircom International Content Management Consulting, and Belgian ISP Telenet.

The complex case - which involves a number of legal arguments - appears to pivot on the balance between enforcement of IP rights and the data protection of the individuals accused of infringing them.

Continue reading

What's that hurtling down the Bifröst? Node-based network fun with Yggdrasil 0.4

Ragnarök and roll: Release Candidate boasts significant improvements on 0.3

Version 0.4 of the Yggdrasil networking platform is imminent, bringing with it improved performance and routing.

Currently at the Release Candidate stage, version 0.4 is quite a different beast to its predecessor. This means that a configuration backup would be a good idea since v0.4 nodes will not peer with v0.3 nodes. "We will be wiping the public peers list around the time of release as a result," said the project's Neil Alexander.

Continue reading

Germany's competition watchdog to investigate whether Apple's ecosystem damages other businesses

Joins queue of regulators peeking into iOS walled garden model

Germany's competition watchdog, the Bundeskartellamt, today said it has opened a preliminary investigation into Apple's grip on the market and its walled garden ecosystem.

The Bundeskartellamt said it seeks to determine whether Apple is "of paramount significance" across the various markets it caters for with its services including the App Store, Apple Music, iCloud, and others.

"An ecosystem which extends across various markets may be an indication that a company holds such a position. It is often very difficult for other companies to challenge such a position of power," the watchdog said.

Continue reading

'Lots of failed startups came out of Campus': Google axes London hub because startup scene 'doesn't need' another 7 floors of workspace

It needs 'resources, mentors, and programs ... at scale, anywhere'

The COVID-19 pandemic has claimed another casualty: Google Campus, the flash Shoreditch startup hub launched in 2012 to grow London's tech scene.

Google said the pandemic had "demonstrated" it could somehow support the startup community without occupying a seven-storey building in the heart of Central London. The shift to remote working, it added, had allowed it to support fledgling businesses beyond the perimeter of the Tube network.

Continue reading

Final guidance on Schrems II ruling: Data from EU could be held up if a third country lets authorities access it

We're looking at you, Uncle Sam

The European Data Protection Board (EDPB) has finalised its guidance to businesses in how they should proceed following the Schrems II ruling which struck down the Privacy Shield data-sharing arrangement between the EU and the US.

In its final version of the recommendations [PDF] on supplementary measures to accommodate the ruling, the EDPB said the transfer of data could be impinged on if legislation in a third country allows authorities to access data transferred from the EU, even without the importer's intervention.

In the Schrems II ruling, named after Austrian privacy activist and lawyer Max Schrems, the EU Court of Justice said that Section 702 of the US Foreign Intelligence Surveillance Act together with a US presidential order and a policy directive on data collection by spies failed to meet EU data protection requirements.

Continue reading

The great fire sale continues as Capita sells government joint venture Axelos for £380m

It's the longest day of the year

Its work with the UK government has once again proven a boon to troubled outsourcer Capita. The business said today it would sell Axelos – the joint venture set up with the Cabinet Office in 2013 – to assessment and certification outfit PeopleCert for £380m.

The sale of Capita's 51 per cent stake in the JV should mean it can trouser £172.5m once all done and dusted.

For Capita, the cash will be used to strengthen the company's balance sheet, pay off some debt and help fund the ongoing running of the operation.

Continue reading

Do you want to become a vulture? Now's your chance to join The Register's news desk

We are hiring a FOSS expert who can pick apart a cloud giant's latest API

Ever wanted to fly with the vultures in the editorial department at your favourite daily tech publication? The Register is seeking a full-time journalist to cover the world of free and open-source software, from its development and curation to its orchestration and deployment as a service in the cloud.

A successful applicant will be expected to write a mix of daily news articles and monthly in-depth pieces, alerting readers to crucial information they need to know and guiding them through technologies they ought to master. Their writing must be clear, accurate, fair, and submitted on time.

They should be able to talk to our audience of millions of IT professionals through the pros and cons of a cloud giant's new API offering, explain the impact of a security vulnerability or the underlying cause of a bug, and be able to interview engineers and CTOs to find out how products work – or don't work – as advertised.

Continue reading

VMs were a fad fit for the Great Recession. Containers’ time has finally come

No more managing operating systems and monolithic apps? Where do I sign!

Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you – the reader – choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday.

During the week you can cast your vote on which side you support using the poll embedded below, choosing whether you're in favor or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular. It's up to our writers to convince you to vote for their side.

This week's motion is: Containers will kill virtual machines

Continue reading

Hubble Space Telescope sails serenely on in safe mode after efforts to switch to backup memory modules fail

Have you tried turning it off and on again?

Updated The Hubble Space Telescope has continued to resist efforts by NASA last week to bring its payload computer back online.

It has now been more than a week since the computer halted on Sunday 13 June. An attempt to restart it the following Monday failed with initial indications pointing to a failing memory module.

At the time, a NASA spokesperson told The Register that the veteran telescope only required one of its four memory modules and so planned to swap to a backup module in order to resume operations.

Continue reading