When Nature pushes Malvertising
«Is science only for the rich?» *charges ~200€ for a yearly, personal subscription* ¯\_(ツ)\_/¯ https://t.co/MqYPuefkZ4
— Bastian Greshake (@gedankenstuecke) May 29, 2017
In the process of doing research for a snarky tweet I was looking for the yearly subscription costs of Nature. In itself not an easy task, as the corresponding page one finds via Google is devoid of content. But something even more weird happened, as I was greeted by some scammy looking popup, which tried to push a Chrome extension to the unsuspecting user in the most annoying way: Playing sounds, forced dialog popups, images that look like real popups and all that for the ironic promise to make you get rid of advertisements.
Which in sum doesn’t scream malware at all, right? At first I suspected that some of my own Chrome extensions or system would be to blame for this. So I went through removing all Chrome extensions and the issue remained. And then I reproduced the same thing on a different machine with a different installation of Chrome and a different operating system. And sure enough, the Nature website, at least on some occasions, leads you to this badly hidden try to install dubious things on your computer.
Intrigued I started with a simple whois for the domain from which the popup arises. And lucky enough, the site is hosted by a gentleman called Anatoliu Golovin from Moscow. Some further googling showed, I’m not the only person who has made indirect contact with that person, David Gil De Gómez Perez blogged about his encounter with the same kind of attack, using a different vector, two weeks ago and describes the same kind of attack, which seems to combine the forced Chrome extension installation with a less sophisticated version of the malvertising approach.
Which means it most likely comes down to this: Someone is buying online advertisements to get you to install malware on your end. Which end up on the Nature website, where you wouldn’t expect to find such things. So either Nature’s IT security isn’t the best (we’ve all been there) or that there’s just little incentive for Nature to really check what kind of advertisements are running on their website, as long as it’s a nice financial supplement to their subscription fees. I’m hardly the first person to notice these things. In fact: At least 3 days ago someone reported the same thing to the Twitter-account of Nature, to no avail.
In the end it looks like Nature, proud to be one of the oldest scientific journals around, seems to peddle the same kind of malvertising one would expect to see on dubious porn and file sharing sites. Funny enough, I’ve so far never seen this happening on Sci-Hub…