Photo: DAVIDE BONAZZI/ @SALZMANART |
Website spoofing has been around since the rise of Internet search engines, but it's only in the past few years that scholarly journals have been targeted. The usual method is to build a convincing version of a website at a similar address—www.sciencmag.org rather than www.sciencemag.org—and then drive Web traffic to the fake site. But snatching the official domain is an insidious twist: Unsuspecting visitors who log into the hijacked journal sites might give away passwords or money as they try to pay subscriptions or article processing fees. And because the co-opted site retains the official Web address of the real journal, how can you tell it's fake?
After the tip came in from Mehdi Dadkhah, an information technology scientist based in Isfahan, Iran, Science
put me on the case. Not only did my investigation confirm that this
scam is real, identifying 24 recently snatched journal
domains, I discovered how the hijackers are likely
doing it. The only hard part is identifying vulnerable journals. Once
the
targets are identified, snatching their domains is
easy. To test my theory, I snatched one myself. For a day, visitors to
the official Web domain of an academic contemporary
art journal based in Croatia were redirected to Rick Astley's 1987
classic
music video, “Never Gonna Give You Up.” (The
editors there weren't upset when they learned of the switch because the
journal
was already moving to a new domain.)
This new style of journal hijacking can
flourish only when journals are careless about website administration
and security.
But the few cases so far should sound an alarm,
publishing experts say. “Other businesses invest heavily in
cybersecurity,
and scholarly journals will necessarily need to
follow,” warns Phil Davis, a former university librarian who is now a
consultant
in the scholarly publishing industry. “There is a
lot more than just money at stake. Reputations and trust are on the
line.”
LONG IGNORED BY THE CRIMINAL underworld,
academic journal websites are finally getting noticed. One reason is the
sheer scale of today's online publishing—more
than 2 million digital articles were published by
more than 20,000 journals last year. Another may be the money changing
hands.
Most of this $10 billion industry is still tied up
with subscriptions, paid primarily by libraries, but a growing slice
comes
from gold open-access publishing, the business
model in which authors of accepted papers pay up front for their
publication.
This part of the market took in about $250 million
last year and is on course to double in a few years. That cash flow and
the amateurish website administration of many
scholarly publishers make for juicy targets.
Jeffrey Beall, a librarian at the
University of Colorado, Denver, who tracks abuse in scholarly
publishing, has so far identified
88 journals that are facing competition from fake
imitators on different websites. “The list keeps growing,” he says. But
snatching a journal's actual Internet domain is a
new twist—one Beall wasn't aware of until Science alerted him to the practice.