Top University Websites Hijacked to Serve Porn and Malware in Widespread Scam
By
<h2>The Hijack</h2><p>Hundreds of subdomains belonging to prestigious universities including <strong>UC Berkeley</strong>, <strong>Columbia University</strong>, and <strong>Washington University in St. Louis</strong> are redirecting visitors to explicit pornographic content and malicious scam pages, researcher <strong>Alex Shakhov</strong> revealed.</p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2023/07/GettyImages-1137650996-1152x648.jpg" alt="Top University Websites Hijacked to Serve Porn and Malware in Widespread Scam" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure><p>The compromised domains include <em>causal.stat.berkeley.edu</em> showing porn videos, <em>conversion-dev.svc.cul.columbia.edu</em> pointing to a porn site called "Brazzers Gym," and <em>provost.washu.edu</em> hosting a fake malware alert demanding payment. In total, at least 34 universities have been affected.</p><p>“This is not a sophisticated hack—it’s basic neglect,” said Shakhov, founder of SH Consulting. “The scammers are exploiting a clerical error that universities never bothered to fix.”</p><h2 id="background">Background: The Technical Flaw</h2><p>When universities create subdomains (e.g., <em>provost.washu.edu</em>), they set up a <strong>CNAME record</strong> that links the subdomain to a canonical domain. This is common for temporary projects, event sites, or third‑party services.</p><p>Once the subdomain is no longer needed, administrators often forget to delete the CNAME record. The orphaned record becomes a dangling pointer—a prime target for attackers like the group tracked as <strong>Hazy Hawk</strong>, who register the now‑unowned canonical domain and take control of the subdomain.</p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2023/07/GettyImages-1137650996-300x225.jpg" alt="Top University Websites Hijacked to Serve Porn and Malware in Widespread Scam" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure><p>Shakhov explained: “<em>It’s like leaving your front door unlocked after moving out—anyone can walk in and put up their own sign.</em>”</p><h2 id="what-this-means">What This Means</h2><p>The hijacked subdomains damage the universities’ reputations, erode trust in their .edu domains, and expose users to explicit content and scams. Victims landing on the fake malware page are pressured to pay a fee for a non‑existent cleanup.</p><p>Google search results currently list thousands of these hijacked pages, meaning the problem is far from contained. “Universities must audit their DNS records immediately and remove obsolete CNAME entries,” Shakhov urged.</p><p>Without prompt action, the same technique could be used to serve phishing sites, distribute malware, or conduct other attacks under a trusted .edu banner.</p>
Tags: