Feature: How to hijack a journal

Davide Bonazzi/@ Salzmanart

Feature: How to hijack a journal

Even by the standards of Internet scams, the scheme is brazen. According to a tip sent to Science, fraudsters are snatching entire Web addresses, known as Internet domains, right out from under academic publishers, erecting fake versions of their sites, and hijacking their journals, along with their Web traffic.

Website spoofing has been around since the rise of Internet search engines, but it’s only in the past few years that scholarly journals have been targeted. The usual method is to build a convincing version of a website at a similar address—www.sciencmag.org rather than www.sciencemag.org—and then drive Web traffic to the fake site. But snatching the official domain is an insidious twist: Unsuspecting visitors who log into the hijacked journal sites might give away passwords or money as they try to pay subscriptions or article processing fees. And because the co-opted site retains the official Web address of the real journal, how can you tell it’s fake?

After the tip came in from Mehdi Dadkhah, an information technology scientist based in Isfahan, Iran, Science put me on the case. Not only did my investigation confirm that this scam is real, identifying 24 recently snatched journal domains, I discovered how the hijackers are likely doing it. The only hard part is identifying vulnerable journals. Once the targets are identified, snatching their domains is easy. To test my theory, I snatched one myself. For a day, visitors to the official Web domain of an academic contemporary art journal based in Croatia were redirected to Rick Astley’s 1987 classic music video, “Never Gonna Give You Up.” (The editors there weren’t upset when they learned of the switch because the journal was already moving to a new domain.)

This new style of journal hijacking can flourish only when journals are careless about website administration and security. But the few cases so far should sound an alarm, publishing experts say. “Other businesses invest heavily in cybersecurity, and scholarly journals will necessarily need to follow,” warns Phil Davis, a former university librarian who is now a consultant in the scholarly publishing industry. “There is a lot more than just money at stake. Reputations and trust are on the line.”

LONG IGNORED by the criminal underworld, academic journal websites are finally getting noticed. One reason is the sheer scale of today’s online publishing—more than 2 million digital articles were published by more than 20,000 journals last year. Another may be the money changing hands. Most of this $10 billion industry is still tied up with subscriptions, paid primarily by libraries, but a growing slice comes from gold open-access publishing, the business model in which authors of accepted papers pay up front for their publication. This part of the market took in about $250 million last year and is on course to double in a few years. That cash flow and the amateurish website administration of many scholarly publishers make for juicy targets.

Jeffrey Beall, a librarian at the University of Colorado, Denver, who tracks abuse in scholarly publishing, has so far identified 88 journals that are facing competition from fake imitators on different websites. “The list keeps growing,” he says. But snatching a journal’s actual Internet domain is a new twist—one Beall wasn’t aware of until Science alerted him to the practice.

Until domain-snatching came along, journal hijacking was easy to spot. You just turned to a trusted list of reputable journals, such as Web of Science. Curated by Thomson Reuters, it lists the International Standard Serial Numbers (ISSNs), titles, and Web and postal addresses of more than 12,000 publications. If the Web address of an online journal matches its official record on Web of Science, then you could be confident that it’s the real deal. No longer: There is no simple way to identify a journal that has lost control of its own Web domain.

Dadkhah has been investigating journal fraudsters ever since he himself was duped in 2013. Ironically, it happened as he sought to publish his master’s thesis research on Internet security. Like countless researchers, he received a spam email inviting him to present his research at a scientific conference for a fee of $600. It was a large sum for him, but the organizers promised to publish his work as part of the conference proceedings in a journal that was indexed by Thomson Reuters. So he paid up.

Then things took a strange turn. The conference was “virtual,” with no real-world gathering—in fact no conference happened at all. And the publication? It turned out to be a cloned version of the real journal on a different website. Dadkhah made a stink and eventually got his money back—a rare escape.

Since then, he has become one of the go-to experts on journal fraud. Recently, disgruntled authors began approaching him about a new scam. Euromed Communications, a publisher of biomedical journals and books based in the United Kingdom, may have been the first target. The trouble began a few years ago when the company’s founding director died of cancer. During the management reshuffle, a $10 bill went unpaid: It was the annual registration fee for the company’s Web domain. “We tried to reregister it but it was too late,” says Peter Hall, the company’s new director. “Someone had already snapped it up.”

Since then, Euromed Communications has transitioned its publications to a new domain. Things went smoothly until June of this year. “We started getting emails from angry researchers,” Hall says. The researchers claimed to have paid the subscription fee for one of the company’s publications, a pharmaceutical industry trade journal called GMP Review, through the official website but received nothing in return.

Sure enough, GMP Review had been hijacked. Even today, the top hit in a Google search for “GMP Review” points to the old Web domain, where visitors find an imitation of the journal’s website. One difference that few notice is the lack of any email or telephone contacts for the editor. Instead, a “contact” button brings visitors to a Web form that sends communication directly to the hijackers.

“It’s a real nuisance,” Hall laments, but there is little he can do about it. Anyone can buy a Web domain from private registration companies who neither vet nor care whether the purchaser has a “right” to it. In this case, the journal’s was purchased through a private firm in Australia—the hijackers themselves could be anywhere. At least now, after the publisher contacted Thomson Reuters to explain the situation, Web of Science lists the correct Web address for Hall’s company.

A similar fate befell Ludus Vitalis, a respected philosophy of science journal published by the Centro Lombardo Toledano in Mexico City, except those hijackers went one step further. Not only did they snatch the journal’s official domain and clone the journal site, they are accepting submissions. You can publish your research in the fake Ludus Vitalis for $150. The fake journal now has a steady stream of papers from a range of disciplines, boldly declaring on its website that it is indexed by Thomson Reuters. The real publishers declined to comment, although in an online forum with researchers they acknowledged that the site was not under their control.

A. CUADRA/SCIENCE AND C. SMITH/SCIENCE

HOW MANY OTHER ACADEMIC journal domains have been snatched? Thomson Reuters declined to comment on journal hijacking or to help me probe its extent. But Dadkhah suggested two ways to spot a hijacking. First, check the domain registration data online by performing a WHOIS query. (It’s not an acronym, but rather a computer protocol to look up “who is” behind a particular domain.) If the registration date is recent but the journal has been around for years, that’s the first clue. Also suspicious is if the domain’s country of registration is different from the journal’s publisher, or if the publisher’s name and contact information are kept anonymous by private domain registrars.

I wrote a program to automate Dadkhah’s search method. I started by scraping the publicly accessible records from Web of Science. That generated a list of more than 12,000 journal Web domains. I ran WHOIS queries on all of them. Filtering the records by the registration creation date gave me a list of the journals with Web domains that changed hands within the past year.

After examining those websites, searching the Internet for signs of the real publishers, and trying to contact them when things looked fishy, I identified 24 journals indexed by Thomson Reuters whose Web domains appear to have been recently snatched. (That list, along with all of the code and data from this investigation are here.)

So far, GMP Review and Ludus Vitalis are the only ones with fake journals open for business. Several sites are being used for unrelated commercial enterprises—apparently simply hoping to benefit from any traffic. For example, the official Web of Science domains for the Journal of Plant Biotechnology, published by a Korean scholarly society, and Graphis Scripta, a botany journal published by the Nordic Lichen Society, now promote balding cures and payday loans, respectively.

In some cases, the motivation of the hijacker is difficult to discern. For example, Web of Science listings for seven journals published by the University of Liverpool Press all point to liverpool-unipress.co.uk, which now hosts a half-built website that encourages visitors to submit proposals for manuscripts but only offers a generic “contact” button that seems to send communication to the hijackers. An amateurish hijack in progress? “It seems that they are using our name,” officials at the real publisher told Science. “This is something we are looking into.”

About a third of the snatched domains are under construction or preparing to be sold. For example, jardinbotanicolankester.org, the domain officially listed by Thomson Reuters for Lankesteriana, a plant science journal published by the University of Costa Rica, now hosts nothing but a link to a private auction to buy the domain. According to Adam Karremans, the managing editor, that domain was never registered by the journal. “I can only assume [Thomson Reuters] took that link from another source by mistake,” he says.

That hints at a possible alternative route for hijacking: Fool Thomson Reuters by posing as the publisher and asking them to list your own domain instead of the real one. That is what happened to Acta Physico-Chimica Sinica, a journal published by Peking University in China, according to the editor, Ouyang Jianhua. “It is not the original website of the journal, in fact we do not have any relation with this URL. I do not know why Thomson Reuters links to it.” (Thomson Reuters declined to comment.) The site listed by Web of Science is under construction.

BUSTLING MARKETS ALREADY EXIST for buying expired domains with obvious commercial potential—those that are very short or consist of a common English word. But academic journal domains are often long and esoteric, so the hijackers must have their own strategy for finding their victims. With my journal domain-tracking code up and running, I realized that this might just be the trick. The only tweak needed was to filter the data by the domain’s expiration date. That yields a list of potential targets to stalk, and when to strike.

That’s when I became a hijacker myself. Why not buy one of the expired domains immediately, if only to save it? Web of Science listed hart.hr as the domain for Život Umjetnosti (Journal of Contemporary Art), published for the past 50 years by the Institute of Art History in Zagreb. To purchase a .hr domain, I had to hire a European company to serve as my proxy, and I beat the hijackers to it.

My prank is very unlikely to have inconvenienced readers. The publisher moved the journal to a new Web domain in June and notified Thomson Reuters, says the editor, Sandra Križić Roban. “They got the information about the new URL,” she says, but as Science went to press, Web of Science still points to the domain that I now control. (I took down the music video, and the site now shows a relevant xkcd cartoon and a prominent link to the real journal and this story.)

It won’t be the last journal domain to get snatched. “Many publishers still rooted in the print world have never completely gotten used to the details of running a website,” says Stewart Wills, the former Web editor of Science. “It’s not surprising that a bill comes in and falls through the cracks. [But] you need to practice due diligence, hire adequate staff, or use an external website vendor,” he says. “The penalty for not professionalizing your online operation is now far too high.”

And it’s not just small journal publishers that are vulnerable. The entire publishing industry relies on digital object identifiers (DOIs) to map Web addresses to scholarly papers. That system stopped working briefly in January because the registration of the doi.org domain expired. “For all the redundancy built into our systems—multiple servers, multiple hosting sites, Raid drives, redundant power—we were undone by a simple administrative task,” reads a mea culpa statement on the blog of CrossRef, the organization that maintains the DOI system. “Truly, we are humbled.”

If a site like CrossRef were hijacked, the consequences for academia would be enormous, Davis says. “We’d have to pay a ransom or create an entirely new system,” he says. “Going back to print publishing is simply not an option for science journals.”

Follow News from Science

A 3D plot from a model of the Ebola risk faced at different West African regions over time.
dancing shoes