How to steal a journal

Figure

Even by a standards of Internet scams, a intrigue is brazen. According to a tip sent to Science, fraudsters are snatching whole Web addresses, famous as Internet domains, right out from underneath educational publishers, erecting
feign versions of their sites, and hijacking their journals, along with their Web traffic.

Website spoofing has been around given a arise of Internet hunt engines, though it’s usually in a past few years that scholarly
journals have been targeted. The common process is to build a convincing chronicle of a website during a identical address—www.sciencmag.org rather than www.sciencemag.org—and afterwards expostulate Web trade to a feign site. But snatching a central domain is an guileful twist: Unsuspecting visitors
who record into a hijacked biography sites competence give divided passwords or income as they try to compensate subscriptions or essay processing
fees. And given a co-opted site retains a central Web residence of a genuine journal, how can we tell it’s fake?

ONLINE

Find a list of snatched journals during http://scim.ag/hijackdata

After a tip came in from Mehdi Dadkhah, an information record scientist formed in Isfahan, Iran, Science put me on a case. Not usually did my review endorse that this rascal is real, identifying 24 recently snatched journal
domains, we detected how a hijackers are expected doing it. The usually tough partial is identifying exposed journals. Once the
targets are identified, snatching their domains is easy. To exam my theory, we snatched one myself. For a day, visitors to
a central Web domain of an educational contemporary art biography formed in Croatia were redirected to Rick Astley’s 1987 classic
song video, “Never Gonna Give You Up.” (The editors there weren’t dissapoint when they schooled of a switch given a journal
was already relocating to a new domain.)

This new character of biography hijacking can develop usually when journals are drifting about website administration and security.
But a few cases so distant should sound an alarm, edition experts say. “Other businesses deposit heavily in cybersecurity,
and erudite journals will indispensably need to follow,” warns Phil Davis, a former university librarian who is now a consultant
in a erudite edition industry. “There is a lot some-more than usually income during stake. Reputations and trust are on a line.”

Figure

LONG IGNORED BY THE CRIMINAL underworld, educational biography websites are finally removing noticed. One reason is a perfect scale of today’s online publishing—more
than 2 million digital articles were published by some-more than 20,000 journals final year. Another competence be a income changing hands.
Most of this $10 billion attention is still tied adult with subscriptions, paid essentially by libraries, though a flourishing cut comes
from bullion open-access publishing, a business indication in that authors of supposed papers compensate adult front for their publication.
This partial of a marketplace took in about $250 million final year and is on march to double in a few years. That income upsurge and
a bungled website administration of many erudite publishers make for luscious targets.

Jeffrey Beall, a librarian during a University of Colorado, Denver, who marks abuse in erudite publishing, has so distant identified
88 journals that are confronting foe from feign imitators on opposite websites. “The list keeps growing,” he says. But
snatching a journal’s tangible Internet domain is a new twist—one Beall wasn’t wakeful of until Science alerted him to a practice.

Until domain-snatching came along, biography hijacking was easy to spot. You usually incited to a devoted list of creditable journals,
such as Web of Science. Curated by Thomson Reuters, it lists a International Standard Serial Numbers (ISSNs), titles, and
Web and postal addresses of some-more than 12,000 publications. If a Web residence of an online biography matches a central record
on Web of Science, afterwards we could be assured that it’s a genuine deal. No longer: There is no elementary approach to brand a journal
that has mislaid control of a possess Web domain.

Dadkhah has been questioning biography fraudsters ever given he himself was hoodwinked in 2013. Ironically, it happened as he sought
to tell his master’s topic investigate on Internet security. Like vast researchers, he perceived a spam email inviting
him to benefaction his investigate during a systematic discussion for a price of $600. It was a vast sum for him, though a organizers promised
to tell his work as partial of a discussion record in a biography that was indexed by Thomson Reuters. So he paid up.

Then things took a bizarre turn. The discussion was “virtual,” with no real-world gathering—in fact no discussion happened
during all. And a publication? It incited out to be a cloned chronicle of a genuine biography on a opposite website. Dadkhah made
a scent and eventually got his income back—a singular escape.

Since then, he has turn one of a go-to experts on biography fraud. Recently, discontented authors began coming him about
a new scam. Euromed Communications, a publisher of biomedical journals and books formed in a United Kingdom, competence have been
a initial target. The difficulty began a few years ago when a company’s initial executive died of cancer. During a management
reshuffle, a $10 check went unpaid: It was a annual registration price for a company’s Web domain. “We attempted to reregister
it though it was too late,” says Peter Hall, a company’s new director. “Someone had already snapped it up.”

Since then, Euromed Communications has transitioned a publications to a new domain. Things went uniformly until Jun of this
year. “We started removing emails from indignant researchers,” Hall says. The researchers claimed to have paid a subscription
price for one of a company’s publications, a curative attention trade biography called GMP Review, by a central website though perceived zero in return.

Sure enough, GMP Review had been hijacked. Even today, a tip strike in a Google hunt for “GMP Review” points to a aged Web domain, where visitors find an fabrication of a journal’s website. One disproportion that few notice
is a miss of any email or write contacts for a editor. Instead, a “contact” symbol brings visitors to a Web form that
sends communication directly to a hijackers.

“It’s a genuine nuisance,” Hall laments, though there is tiny he can do about it. Anyone can buy a Web domain from private registration
companies who conjunction oldster nor caring either a client has a “right” to it. In this case, a journal’s was purchased through
a private organisation in Australia—he hijackers themselves could be anywhere. At slightest now, after a publisher contacted Thomson
Reuters to explain a situation, Web of Science lists a scold Web residence for Hall’s company.

A identical predestine befell Ludus Vitalis, a reputable truth of scholarship biography published by a Centro Lombardo Toledano in Mexico City, solely those hijackers
went one step further. Not usually did they waylay a journal’s central domain and counterpart a biography site, they are accepting
submissions. You can tell your investigate in a feign Ludus Vitalis for $150. The feign biography now has a solid tide of papers from a operation of disciplines, resolutely dogmatic on a website
that it is indexed by Thomson Reuters. The genuine publishers declined to comment, nonetheless in an online forum with researchers
they concurred that a site was not underneath their control.

HOW MANY OTHER ACADEMIC JOURNAL domains have been snatched? Thomson Reuters declined to criticism on biography hijacking or to assistance me examine a extent. But
Dadkhah suggested dual ways to mark a hijacking. First, check a domain registration information online by behaving a WHOIS query.
(It’s not an acronym, though rather a mechanism custom to demeanour adult “who is” behind a sole domain.) If a registration
date is new though a biography has been around for years, that’s a initial clue. Also questionable is if a domain’s country
of registration is opposite from a journal’s publisher, or if a publisher’s name and hit information are kept anonymous
by private domain registrars.

I wrote a module to automate Dadkhah’s hunt method. we started by scraping a publicly permitted annals from Web of Science.
That generated a list of some-more than 12,000 biography Web domains. we ran WHOIS queries on all of them. Filtering a annals by
a registration origination date gave me a list of a journals with Web domains that altered hands within a past year.

After examining those websites, acid a Internet for signs of a genuine publishers, and perplexing to hit them when things
looked fishy, we identified 24 journals indexed by Thomson Reuters whose Web domains seem to have been recently snatched.
(That list, along with all of a formula and information from this review are during http://scim.ag/hijackdata.)

So far, GMP Review and Ludus Vitalis are a usually ones with feign journals open for business. Several sites are being used for separate blurb enterprises—apparently
simply anticipating to advantage from any traffic. For example, a central Web of Science domains for a Journal of Plant Biotechnology, published by a Korean erudite society, and Graphis Scripta, a botany biography published by a Nordic Lichen Society, now foster balding cures and payday loans, respectively.

In some cases, a proclivity of a hijacker is formidable to discern. For example, Web of Science listings for 7 journals
published by a University of Liverpool Press all indicate to liverpool-unipress.co.uk, that now hosts a half-built website that encourages visitors to contention proposals for manuscripts though usually offers a generic
“contact” symbol that seems to send communication to a hijackers. An bungled steal in progress? “It seems that they
are regulating a name,” officials during a genuine publisher told Science. “This is something we are looking into.”

About a third of a snatched domains are underneath construction or scheming to be sold. For example, jardinbotanicolankester.org, a domain strictly listed by Thomson Reuters for Lankesteriana, a plant scholarship biography published by a University of Costa Rica, now hosts zero though a couple to a private auction to
buy a domain. According to Adam Karremans, a handling editor, that domain was never purebred by a journal. “I can
usually assume [Thomson Reuters] took that couple from another source by mistake,” he says.

That hints during a probable choice track for hijacking: Fool Thomson Reuters by posing as a publisher and seeking them
to list your possess domain instead of a genuine one. That is what happened to Acta Physico-Chimica Sinica, a biography published by Peking University in China, according to a editor, Ouyang Jianhua. “It is not a strange website
of a journal, in fact we do not have any propinquity with this URL. we do not know since Thomson Reuters links to it.” (Thomson
Reuters declined to comment.) The site listed by Web of Science is underneath construction.

BUSTLING MARKETS ALREADY EXIST for shopping lapsed domains with apparent blurb potential—those that are really brief or include of a common English word.
But educational biography domains are mostly prolonged and esoteric, so a hijackers contingency have their possess plan for anticipating their
victims. With my biography domain-tracking formula adult and running, we satisfied that this competence usually be a trick. The usually tweak
indispensable was to filter a information by a domain’s death date. That yields a list of intensity targets to stalk, and when
to strike.

That’s when we became a hijacker myself. Why not buy one of a lapsed domains immediately, if usually to save it? Web of Science
listed hart.hr as a domain for Život Umjetnosti (Journal of Contemporary Art), published for a past 50 years by a Institute of Art History in Zagreb. To squeeze a .hr domain, we had to sinecure a European
association to offer as my proxy, and we kick a hijackers to it.

My antic is really doubtful to have inconvenienced readers. The publisher changed a biography to a new Web domain in Jun and
told Thomson Reuters, says a editor, Sandra Križić Roban. “They got a information about a new URL,” she says, but
as Science went to press, Web of Science still points to a domain that we now control. (I took down a song video, and a site now
shows a applicable xkcd animation and a distinguished couple to a genuine biography and this story.)

It won’t be a final biography domain to get snatched. “Many publishers still secure in a imitation universe have never completely
gotten used to a sum of using a website,” says Stewart Wills, a former Web editor of Science. “It’s not startling that a check comes in and falls by a cracks. [But] we need to use due diligence, sinecure adequate
staff, or use an outmost website vendor,” he says. “The chastisement for not professionalizing your online operation is now far
too high.”

And it’s not usually tiny biography publishers that are vulnerable. The whole edition attention relies on digital intent identifiers
(DOIs) to map Web addresses to erudite papers. That complement stopped operative quickly in Jan given a registration of
a doi.org domain expired. “For all a excess built into a systems—multiple servers, mixed hosting sites, Raid drives, redundant
power—we were dismantled by a elementary executive task,” reads a mea culpa matter on a blog of CrossRef, a organization
that maintains a DOI system. “Truly, we are humbled.”

If a site like CrossRef were hijacked, a consequences for academia would be enormous, Davis says. “We’d have to compensate a ransom
or emanate an wholly new system,” he says. “Going behind to imitation edition is simply not an choice for scholarship journals.”