Elite University Domains Hijacked to Deliver Porn and Malware

By

Hundreds of University Subdomains Compromised

Hundreds of subdomains belonging to prestigious universities such as the University of California, Berkeley, Columbia University, and Washington University in St. Louis are now serving explicit pornography and malicious malware. Researcher Alex Shakhov identified the breach, noting that at least 34 universities have been affected, with thousands of pages indexed by Google.

Scammers have exploited outdated domain records, turning once-legitimate subdomains like causal.stat.berkeley.edu into gateways for porn and fake virus warnings. One compromised Columbia subdomain redirected users to a site mimicking a system scan, demanding payment to remove non-existent threats.

How the Attack Works

Shakhov, founder of SH Consulting, explained that attackers target CNAME records left behind after subdomains are decommissioned. “When administrators create a subdomain, they assign a CNAME record pointing to an external host. If that record isn’t cleaned up after the subdomain is retired, anyone can claim it,” he said.

This oversight amounts to “shoddy housekeeping,” according to Shakhov. He linked the group behind the attacks to Hazy Hawk, a known threat actor. The group monitors for orphaned CNAME records and registers the external domains, then loads malicious content.

Background: A Recurring Vulnerability

Subdomain hijacking is not new, but the scale here is alarming. Universities often create temporary subdomains for projects, events, or research, then abandon them without removing DNS entries. Attackers can then register the external domain and serve anything they want—including porn, phishing pages, or malware.

Previous incidents have involved compromised government and corporate domains, but educational institutions are particularly vulnerable due to decentralized IT management. The affected universities have been notified, but many outdated records remain active.

What This Means

This breach damages the reputation of these institutions and poses real risks to visitors. Users trusting a .edu domain may inadvertently expose themselves to explicit content or malware. The incident underscores the need for proper domain lifecycle management—regular audits and automated alerts for abandoned CNAME records.

For cybersecurity teams, this is a wake-up call. “Any organization with a large domain portfolio must enforce cleanup policies,” Shakhov warned. “Otherwise, they are leaving the door open for attackers.”

Related Articles

• Ocean-Based Carbon Removal Experiment Underway in Halifax Harbor – Can the Sea Save Us from CO₂?
• Shalbatana Vallis: Tracing Mars' Lost Ocean Through a Chaotic Valley
• Empowering Educators: How NASA eClips and GLOBE Cultivate a Coastal Virginia STEM Ecosystem
• Beyond AlphaFold: PLAID Generates Proteins with Latent Diffusion
• 10 Revelations About the Vera C. Rubin Observatory: The Maverick Eye on the Sky
• Launch Your Summer with NASA STEM: A Step-by-Step Guide to Space-Themed Activities
• Australian Teenagers Pioneer Low-Cost Radio Telescopes for Classroom Science
• Humanoid Robots on Track to Shatter Men's 100m Sprint Record – Experts Question Practical Use