Elite University Domains Hijacked to Deliver Porn and Malware
Hundreds of University Subdomains Compromised
Hundreds of subdomains belonging to prestigious universities such as the University of California, Berkeley, Columbia University, and Washington University in St. Louis are now serving explicit pornography and malicious malware. Researcher Alex Shakhov identified the breach, noting that at least 34 universities have been affected, with thousands of pages indexed by Google.
Scammers have exploited outdated domain records, turning once-legitimate subdomains like causal.stat.berkeley.edu into gateways for porn and fake virus warnings. One compromised Columbia subdomain redirected users to a site mimicking a system scan, demanding payment to remove non-existent threats.
How the Attack Works
Shakhov, founder of SH Consulting, explained that attackers target CNAME records left behind after subdomains are decommissioned. “When administrators create a subdomain, they assign a CNAME record pointing to an external host. If that record isn’t cleaned up after the subdomain is retired, anyone can claim it,” he said.
This oversight amounts to “shoddy housekeeping,” according to Shakhov. He linked the group behind the attacks to Hazy Hawk, a known threat actor. The group monitors for orphaned CNAME records and registers the external domains, then loads malicious content.
Background: A Recurring Vulnerability
Subdomain hijacking is not new, but the scale here is alarming. Universities often create temporary subdomains for projects, events, or research, then abandon them without removing DNS entries. Attackers can then register the external domain and serve anything they want—including porn, phishing pages, or malware.
Previous incidents have involved compromised government and corporate domains, but educational institutions are particularly vulnerable due to decentralized IT management. The affected universities have been notified, but many outdated records remain active.
What This Means
This breach damages the reputation of these institutions and poses real risks to visitors. Users trusting a .edu domain may inadvertently expose themselves to explicit content or malware. The incident underscores the need for proper domain lifecycle management—regular audits and automated alerts for abandoned CNAME records.
For cybersecurity teams, this is a wake-up call. “Any organization with a large domain portfolio must enforce cleanup policies,” Shakhov warned. “Otherwise, they are leaving the door open for attackers.”