Locked Out

Science article explores how hackers can hijack scholarly journals. Fortunately, preventing it can be as simple as paying a bill on time.

November 20, 2015

Journal editors, did you remember to pay your web hosting bill? If the answer is no, you could find yourself locked out of your own website.

That’s the warning issued by John Bohannon, the well-known writer and molecular biologist, in this week’s issue of Science. In “How to Hijack a Journal,” Bohannon points out that an unpaid bill could lead to a journal losing control of its website -- and then explains how he was able to seize control of a journal's website himself.

This type of scam, Bohannon writes, is different from a hacker buying a web address that merely resembles the real website -- insidehighered.com versus insdehighered.com, for example -- and waiting for unsuspecting visitors to type the wrong address in their browsers. That scam, after all, can be uncovered just by looking closely at the browser’s address bar.

The hijacking scam Bohannon describes is more nefarious. It involves hackers waiting for a journal to forget to renew its web address, allowing the hackers to purchase it and effectively take over the journal’s online presence. By cloning the content on the journal’s website, the hackers can make the takeover virtually invisible not just to the naked eye, but also to indexing services such as Thomson Reuters’ Web of Science, Bohannon writes.

“Unsuspecting visitors who log into the hijacked journal sites might give away passwords or money as they try to pay subscriptions or article processing fees,” Bohannon writes. “And because the co-opted site retains the official web address of the real journal, how can you tell it’s fake?”

Bohannon is known for his sting operations. This March, for example, he fooled countless websites into reporting on a study out of the fictional Institute of Diet and Health that claimed eating chocolate promotes weight loss. In the world of scholarly communication, he has cast serious doubt about the rigor of some open-access journals’ peer-review processes after he in 2013 submitted a fake article to 304 journals that was accepted by more than half.

(Bohannon, for what it’s worth, would not confirm that the Science article is not some new form of hoax designed to entrap reporters who decide to cover it. Faced with that question in an email from Inside Higher Ed, Bohannon responded “Heh heh.”)

The open-access angle also applies to Bohannon’s most recent experiment. Given the growth seen in the number of gold open-access journals -- in other words, those that charge for article processing -- hackers may be interested in targeting that sector of the publishing market, Bohannon writes. A hijacked journal can continue to accept money from academics submitting their articles for as long as it takes for the scam to be discovered (in fact, Bohannon was tipped off by a researcher who experienced just that).

“That cash flow and the amateurish website administration of many scholarly publishers make for juicy targets,” Bohannon writes.

Open-access advocates said they didn't think journals that use article processing charges are more vulnerable than those that don't. Peter Suber, a prominent open-access researcher who serves as director of Harvard University's Office for Scholarly Communication, said journals in the "bottom tier," by revenue, are likely the most vulnerable.

"The ones [Bohannon thinks] are juicy targets are those with good revenue (because there's more money to divert) and those with 'amateurish website administration.' I suspect that those are nearly disjoint subsets of OA journals," Suber said in an email. "I certainly agree that some OA journals have good revenue and some have amateurish web administration. But again, the same is true for non-OA journals."

Heather Joseph, executive director of the Scholarly Publishing and Academic Resources Coalition, or SPARC, echoed Suber's conclusion. “The vulnerability is the same for any publication that is undercapitalized and not well managed,” she said in an email.

Not all hijacked journal websites are being used to scam researchers, however. Some are simply trying to take advantage of the traffic to those sites. Bohannon found that Web of Science points to two journal websites that “now promote balding cures and payday loans,” for example.

Unlike “predatory” publishing, where journals accept researchers’ articles (and their article processing fees) but offer them little in terms of peer review or prestige, journal hijacking does not appear to be a widespread phenomenon, Bohannon suggests. He wrote a program to see if any of the websites for the journals indexed in Web of Science had recently been registered by someone new, but found only 24 that may have been hijacked.

To prove his point about the importance of keeping a web address registration from lapsing, Bohannon hijacked a journal himself. The victim: Život Umjetnosti, a contemporary art journal published by the Institute of Art History in Zagreb, Croatia. The journal had not forgotten to renew its web address registration but had actually moved to a new one. Web of Science hadn’t updated to reflect the change, Bohannon writes.

Bohannon’s work is still visible, but the website now points visitors to the correct web address and the Science article, in case they want to read more about hijacking. “It won’t be the last journal domain to get snatched,” Bohannon writes.


Back to Top