Prestigious Universities Compromised
Websites tied to some of the world's top universities are delivering explicit pornography and malicious scams because scammers have taken advantage of lax subdomain management by site administrators, according to recent findings from security researcher Alex Shakhov.
Affected domains include berkeley.edu, columbia.edu, and washu.edu, representing the University of California, Berkeley, Columbia University, and Washington University in St. Louis. Specific hijacked subdomains like https://causal.stat.berkeley.edu/~my/video/xxx-porn-girl-and-boy-ej5210.html, https://conversion-dev.svc.cul.columbia.edu/brazzers-gym-porn, and https://provost.washu.edu/app/uploads/formidable/6/dmkcsex-10.pdf all host graphic adult content. One instance even leads to a fake malware alert demanding payment for nonexistent infections.
Shakhov reports that hundreds of such subdomains across at least 34 universities are compromised, with Google search results revealing thousands of these illicit pages still indexed and accessible.
Hijacking a University's Reputation
These attacks stem from basic administrative oversights. When universities set up subdomains such as provost.washu.edu, they create CNAME records linking the URL to a hosting IP address. Once the subdomain is decommissioned—common for projects, events, or tests—the DNS record often lingers without cleanup.
Opportunistic scammers, linked by other researchers to the Hazy Hawk group, register the now-available base domain of the expired CNAME. This allows them to control the traffic, redirecting unsuspecting visitors—often students, faculty, or researchers—to harmful content while masquerading under the trusted .edu banner.
The prestige of these institutions makes the hijacks particularly damaging, as users lower their guards when seeing familiar university domains in links or search results.
Hundreds of subdomains for at least 34 universities are being abused.
The Technical Breakdown
CNAME records are straightforward DNS entries that alias one domain to another. They're efficient for delegating subdomains to third-party hosts, but neglect in removing them post-use creates vulnerabilities. Scammers monitor expired domains via tools and registries, snapping them up quickly to point to their servers loaded with porn sites or phishing pages.
This isn't sophisticated hacking—it's low-effort domain squatting exploiting institutional inertia. Universities with vast, decentralized IT teams struggle with inventorying thousands of subdomains, leading to these persistent gaps.
Google's indexing exacerbates the issue, keeping hijacked pages visible in searches for months or years until manually delisted.
Examples of Hijacked Subdomains
- causal.stat.berkeley.edu serving xxx-porn-girl-and-boy content
- conversion-dev.svc.cul.columbia.edu hosting brazzers-gym-porn
- provost.washu.edu with dmkcsex-10.pdf disguised malware scam
- Numerous others across 34+ universities, totaling thousands of pages
Broader Implications and Fixes
Such breaches erode trust in academic domains, potentially exposing users to data theft, ransomware, or reputational harm. Students clicking a 'university resource' might unwittingly support criminal networks.
Universities must audit DNS records regularly, automate decommissioning, and implement monitoring for subdomain changes. Tools like certificate transparency logs and search engine notifications can help spot abuses early.
This incident underscores that even elite institutions aren't immune to mundane security lapses—proactive housekeeping is essential in an era of domain hijacking threats.
