A new Sci-Hub-like content theft website (lib.mayiso.com) has come to the attention of the Silverchair Security Team (SST). Lib.Mayiso.com is a malicious for-profit actor operating in the scholarly publishing sphere. There are two major differences between Mayiso and Sci-Hub:
- Mayiso is a for-profit enterprise that charges its users for hijacked VPN credentials to access paywalled publications, whereas Sci-Hub purports to operate on an “open access to research” philosophy.
- Where Sci-Hub is more akin to a web crawler that downloads content and places it within its own repositories for future retrieval, Mayiso provides ‘just in time’ access to content. This ‘just in time’ access appears to operate via IP authentication methods utilizing unauthorized or compromised VPN access credentials from various higher education institutions around the world.
MethodsThis issue was found due to an increase in full-text article views with a referrer of lib.mayiso.com. The SST investigated this referrer and found that traffic was coming from legitimate intuitional IP addresses from various universities. A review of the lib.mayiso.com website found that they are boasting of obtaining VPN access to higher education institutions within the United States.
To further understand the methods of access that lib.mayiso.com is using, the SST set up an account on their website. The SST found that access is given through a proxy website e.g., <clientshort name>.isus.top. It appears that requests made to this proxy site are then routed through various legitimate institutions’ VPN clients, which is how IP authentication is achieved. The information is then routed back through the proxy website and returned to the user.
Given the method by which Lib.Mayiso.com brokers access to content, it appears in reports as legitimate traffic from top research institutions, which is how it is able to slip past the many existing barriers for illegitimate usage.
SolutionsOnce the SST determined the method of access, we implemented a blocking mechanism similar to the way we block Sci-Hub. Since then, all known instances of these proxy website referrers have been blocked across all Silverchair-hosted products.
Next StepsAs with any security solution around technology, what works today may not work tomorrow. While our teams can no longer find examples of this exploit within our logs, this malicious actor could find new and creative ways to obtain unauthorized access to paywalled content. We believe that outside of maintaining a strong security posture and monitoring for anomalous activity, the best way to combat these types of issues is to encourage discussion and raise awareness within the academic and publishing communities, which is why we share this information here.
Silverchair has shared non-client specific data and findings with both the Scholarly Networks Security Initiative (SNSI) and the PSI Registry (PSI). For publishers interested in further traffic analysis, searching for lib.mayiso.com in the referrer field within Google Analytics may offer additional insight.
We welcome further insights and findings at firstname.lastname@example.org.