Science Website spoofing has been around since the rise of Internet search engines, but it’s only in the past few years that scholarly journals have been targeted. By John Bohannon
'The usual method is to build a convincing version of a website at a similar address—www.sciencmag.org rather than www.sciencemag.org—and then drive Web traffic to the fake site. But snatching the official domain is an insidious twist: Unsuspecting visitors who log into the hijacked journal sites might give away passwords or money as they try to pay subscriptions or article processing fees. And because the co-opted site retains the official Web address of the real journal, how can you tell it’s fake?
'After the tip came in from Mehdi Dadkhah, an information technology scientist based in Isfahan, Iran, Science put me on the case. Not only did my investigation confirm that this scam is real, identifying 24 recently snatched journal domains, I discovered how the hijackers are likely doing it. The only hard part is identifying vulnerable journals. Once the targets are identified, snatching their domains is easy. To test my theory, I snatched one myself. For a day, visitors to the official Web domain of an academic contemporary art journal based in Croatia were redirected to Rick Astley’s 1987 classic music video, “Never Gonna Give You Up.” (The editors there weren’t upset when they learned of the switch because the journal was already moving to a new domain.)
'This new style of journal hijacking can flourish only when journals are careless about website administration and security. But the few cases so far should sound an alarm, publishing experts say. “Other businesses invest heavily in cybersecurity, and scholarly journals will necessarily need to follow,” warns Phil Davis, a former university librarian who is now a consultant in the scholarly publishing industry. “There is a lot more than just money at stake. Reputations and trust are on the line.”'