The Scope of the Problem
Recent research has uncovered a disturbing trend: some of the world’s most respected universities, including the University of California, Berkeley, Columbia University, and Washington University in St. Louis, are inadvertently hosting explicit pornography and malicious content on their official domains. The issue stems from poor administrative housekeeping that allows scammers to hijack abandoned subdomains.
The discovered URLs range from pornographic videos (e.g., hXXps://causal.stat.berkeley.edu/ymy/video/xxx-porn-girl-and-boy-ej5210.html) to PDFs containing adult content (hXXps://provost.washu.edu/app/uploads/formidable/6/dmkcsex-10.pdf). One subdomain even redirected to a tech-support scam that falsely claimed the visitor’s device was infected and demanded payment for fake malware removal. In total, researcher Alex Shakhov identified hundreds of hijacked subdomains across at least 34 universities, with Google search results listing thousands of compromised pages.
How the Hijacking Works
The CNAME Record Vulnerability
The attack exploits a common administrative oversight: CNAME records. When a university creates a subdomain (e.g., hr.dept.university.edu), it sets a CNAME record that maps the subdomain to a canonical name. If the subdomain is later decommissioned but the CNAME record is not removed, it becomes an orphaned entry. Scammers can then register that canonical name on their own hosting and take control of the subdomain.
The Hazy Hawk Connection
Shakhov, founder of SH Consulting, linked these attacks to a known threat group tracked as Hazy Hawk. This group systematically scans for abandoned CNAME records on high-authority domains—like those of .edu institutions—and repurposes them to host malicious or pornographic content. Because the subdomain still points to a trusted university’s root domain (e.g., .berkeley.edu), search engines and users may perceive the page as legitimate, giving the scam an aura of credibility.
The Root Cause: Poor Record-Keeping
At the heart of the problem is lax DNS administration. When a project, department, or temporary service is decommissioned, the corresponding CNAME record is often forgotten in the university’s DNS configuration. This clerical error, although seemingly minor, creates a goldmine for attackers. The affected universities—despite their technical prowess—failed to maintain a clean DNS inventory, leaving the door open for hijacking. As Shakhov noted, this is not a sophisticated hack; it is a failure of basic housekeeping.
What Universities Can Do
To prevent such abuse, institutions must adopt proactive DNS hygiene practices:
- Regular audits: Periodically scan DNS records for orphaned CNAME entries and remove them.
- Automated monitoring: Deploy tools that detect when a subdomain’s canonical target changes or becomes unresponsive.
- Strict decommissioning policies: Require that when any subdomain is retired, its DNS entries are deleted within a set timeframe.
- Collaboration with security researchers: When notified of hijacked subdomains (as in this case), universities should respond quickly to neutralize the threat.
The universities involved have since taken action, but the broader lesson is clear: even the most prestigious institutions are vulnerable to simple administrative oversights. By tightening record-keeping, they can protect their online reputation and prevent their domains from becoming vectors for malicious content.
In conclusion, this episode serves as a vivid reminder that clean DNS housekeeping is not just a technical nicety—it is a critical component of cybersecurity.