Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Media Science

Investigation Reveals How Easy It Is To Hijack a Science Journal Website (sciencemag.org) 18

sciencehabit writes: With 20,000 journal websites producing millions of articles — and billions of dollars — it was probably inevitable that online criminals would take notice. An investigation by Science magazine finds that an old exploit is being used on academic publishers: domain snatching and website spoofing. The trick is to find the tiny number of journals whose domain registration has lapsed at any given time. But how do they track their prey? Science correspondent and grey-hat hacker John Bohannon (the same reporter who submitted hundreds of computer-generated fake scientific papers in a journal sting) proposes a method: Scrape the journal data from Web of Science (curated by Thomson Reuters) and run WHOIS queries on their URLs to generate an automatic hijack schedule.

He found 24 journals indexed by Thomson Reuters whose domains were snatched over the past year. Most are under construction or for sale, but 2 of them now host fake journals and ask for real money. And to prove his point, Bohannon snatched a journal domain himself and Rickrolled it. (It now hosts an xkcd cartoon and a link to the real journal.) Science is providing the article describing the investigation free of charge, as well as all the data and code. You can hijack a journal yourself, if you're so inclined: An IPython Notebook shows how to scrape Web of Science and automate WHOIS queries to find a victim. Science hopes that you return the domains to the real publishers after you snatch them.

This discussion has been archived. No new comments can be posted.

Investigation Reveals How Easy It Is To Hijack a Science Journal Website

Comments Filter:
  • I hope this is a wake up call to publishers to protect their intellectual properties.

    What worries me is when bank mergers, etc. lead to financial data compromises in this way.

  • by Anonymous Coward

    Because it's the question that everyone is probably going to have, the xkcd in question is #722, "Computer Problems [xkcd.com]".

  • by Lab Rat Jason ( 2495638 ) on Friday November 20, 2015 @02:16PM (#50971291)

    Why would you trust a journal that is so incompetent that they can't maintain something as simple as a domain?

    • +1
    • When the government is as trustworthy as God, I'll be comfortable with them knowing as much about me as God does.
      Flag as Inappropriate

      The government is actually MORE trustworthy than God. Sorry about that.

      P.S.: I don't mean to imply the government is trustworthy. Or, come to that, that God actually knows much about you.

      • Seems you put a lot of double speak into something that simply could have been stated as "I don't believe in God"... or did you mean to imply that you, not believing in God, would still prefer to whisper your secrets to your government rather than echo them to /dev/null/?

        • by KGIII ( 973947 )

          Yes, but for a brief moment, they felt important and that their opinion mattered. Of course, one might also ask, why else post if not for those reasons? We're not altruists, no matter how much we'd like to pretend we are.

        • by HiThere ( 15173 )

          The thing is, I *do* believe in gods, for a reasonable definition of god. I just don't believe they're infallible or all-knowing (or that they have even vaguely human perceptions or purposes). And I think that the thing I'm talking about is the same thing that those who claim direct contact with gods are talking about.

          I classify these things as gods, but also as common underpinnings of thoughts on a species, and occasionally genera-wide commonality. They are the strata of thought that Jung glimpsed and c

  • by Anonymous Coward on Friday November 20, 2015 @02:25PM (#50971325)

    Academic publishing long since passed from being a respectable enterprise, or even a respectable business, and now sits somewhere between an adult emporium and an App Store. The race to the bottom in standards, quality, ethics coupled to the soaring price and universal and ruthless exploitation(*) of academics has given the industry the reputation of midnight casino chain. And lo and behold, here arrive actual criminals, looking to rip off joints, as well as asking for protection money if not outright laundering funds. And like any shady operation, publishers shouldn't expect much help from police to help keep their opium emporium running.

    (*)Such exploitation can be, much in the same way as a drug addict's addiction, a matter of contentious perspective. Academics themselves are not blameless for allowing this situation to arise.

    • Academics themselves are not blameless for allowing this situation to arise.

      True, and some academics have taken it upon themselves to found new independent open-access journals and such. We just had a story here about it [slashdot.org] a couple weeks ago.

      The problem is for junior academics, or those still looking to obtain a better job, you don't really have much choice in the matter assuming you want to keep your grants and labs and get tenure. In most fields, there are "high impact" journals, and grant review boards and tenure review committees look for those journals. Publishing in some n

  • by ArchieBunker ( 132337 ) on Friday November 20, 2015 @02:41PM (#50971423)

    If this can happen and no one notices, are these paper sites that important in the first place?

  • by RoverDaddy ( 869116 ) on Friday November 20, 2015 @04:20PM (#50971985) Homepage
    Obviously this works because the domain system has been designed so that domain expiration dates are visible to the public. Is there any compelling public interest in making this so? Perhaps this was one of those decisions made during a more naive, simple time on the internet, that needs to be revisited.

There are never any bugs you haven't found yet.

Working...