Internet Culture

Infamous researcher hacks academic journals, Rickrolls readers

He’s hoping to highlight a possible security issue.

Photo of Cynthia McKelvey

Cynthia McKelvey

Article Lead Image

This year we covered how a science journalist published a bogus study about the dietary benefits of chocolate online, mainly to prove a point about how terrible journalism is when it comes to covering health. While he may have been right that health journalism is often shoddy, his stunt to prove it was met with quite a bit of criticism.

Featured Video

Now the same man, John Bohannon, is back and this time he’s coming after scientific journals. By taking advantage of a lag in domain name payments, Bohannon was able to hijack a journal and post “Never Gonna Give You Up” by Rick Astley. Yes, he Rickrolled the visitors of academic journals.

The project came about when the major academic journal, Science, tasked Bohannon to get to the bottom of an apparent scam involving spoof websites (though it’s not clear whose idea it was to Rickroll everyone in the process). He published the code he used to pull off his stunt, along with a list of hijacked journals here.

“Fraudsters are snatching entire Web addresses, known as Internet domains, right out from under academic publishers, erecting fake versions of their sites, and hijacking their journals, along with their Web traffic,” Bohannon wrote in an article on Science.

Advertisement

Bohannon wrote that often this hijacking occurs when people set up domain names spelled similarly to the original name and dress the site up in a convincing way. For example, one might buy sciencmag.org, hoping to catch people who misspelled the address in their search bar, Bohannon explained.

But now people are stealing the entire domain name, probably by taking advantage of late payments to the Web host. Then the hijackers can get access to personal information like passwords and credit card information as visitors pay for content on the site.

He said the hard part was identifying vulnerable journals, but once he did snagging the name was as easy as buying a website online. Worse yet, there’s no easy way for visitors to identify if a site’s been hijacked either.

Of course the fix is pretty easy—journals simply have to pay their bills on time.

Advertisement

But for journals that have been sluggish to acclimate to online publishing, something as simple as paying a bill on time can fall through the cracks.

“Many publishers still rooted in the print world have never completely gotten used to the details of running a website,” Stewart Wills, the former Web editor of Science, told Bohannon. “It’s not surprising that a bill comes in and falls through the cracks. [But] you need to practice due diligence, hire adequate staff, or use an external website vendor.”

Bohannon ended with a chilling thought. Articles available online are indexed with digital object identifiers (DOI numbers.) They’re like the Dewey Decimal System of online publishing. He said that following doi.org’s domain registration expiration, the site went down. Thankfully no one hijacked it in the interim because if they had, “We’d have to pay a ransom or create an entirely new system,” Phil Davis, a consultant for academic publishers, told Bohannon. “Going back to print publishing is simply not an option for science journals.”

It’s not clear if Bohannon will get the same flak for this stunt that he did with the chocolate study. He said that no readers were likely inconvenienced by the Rickroll since he did it on a journal which had switched its domain name a year prior. The backing of Science and his good-natured humor for this venture also helps. But hopefully his troll-inspired shenanigans in the name of journalism will get some journals to sit up and take notice, for both the security of their content and their readers.

Advertisement

H/T Retraction Watch | Photo via Jeff Geerling/Flickr (CC BY 2.0) | Remix by Max Fleishman 

 
The Daily Dot