Porn on Prestigious University Sites: How Lazy Housekeeping Opens the Door

Recent research uncovered a disturbing trend: top university websites like berkeley.edu, columbia.edu, and washu.edu are serving explicit porn and malicious content. The culprit? Shoddy record-keeping by site administrators that allows scammers to hijack abandoned subdomains. This Q&A breaks down the issue, the method behind the attacks, and what can be done to fix it.

Why are top university websites showing porn?

Scammers are exploiting a common oversight: when universities create subdomains (like provost.washu.edu), they set up a CNAME record to link it to another server. When the subdomain is no longer needed, administrators often forget to delete the CNAME record. Attackers then claim that record, pointing it to their own servers filled with pornographic content or fake virus alerts. The university's trusted domain means search engines still index these pages, exposing visitors to explicit material or scams. Essentially, it's a clerical error with serious consequences, as researcher Alex Shakhov found across hundreds of subdomains at 34+ universities.

How do scammers hijack a university subdomain?

The process is surprisingly simple. When a university creates a subdomain, it uses a CNAME record to map the subdomain to a third-party service (e.g., a content delivery network). When the service is decommissioned, the CNAME record remains active. Scammers monitor for these orphaned records, register the abandoned third-party domain themselves, and then host whatever they want—porn, malware, or phishing pages. The university’s subdomain then resolves to the scammer’s server without the university even knowing. This is called a subdomain takeover, and it exploits university IT teams' failure to maintain proper housekeeping.

Which universities were affected?

Researcher Alex Shakhov identified at least 34 universities with hijacked subdomains. Notable examples include the University of California, Berkeley (berkeley.edu), Columbia University (columbia.edu), and Washington University in St. Louis (washu.edu). Specific hijacked subdomains included causal.stat.berkeley.edu (showing porn videos), conversion-dev.svc.cul.columbia.edu (redirecting to a porn site), and provost.washu.edu (hosting a PDF with explicit content). Google searches returned thousands of indexed pages from these hijacked subdomains, meaning the problem is far from isolated. The full scope likely covers many more institutions across the globe.

What is a CNAME record and how does it enable this attack?

A CNAME (Canonical Name) record is a type of DNS entry that maps one domain name (the alias) to another (the canonical domain). For example, a university might create a CNAME like 'events.berkeley.edu' pointing to 'berkeley.eventserv.com'—a third-party service. When the service is shut down but the CNAME is not removed, the alias still exists in DNS. Attackers can then re-register 'eventserv.com' (if it expires) and take control of the subdomain. In essence, the CNAME record acts like a forwarding address that never got canceled, allowing criminals to move into the abandoned digital property.

Who is behind these attacks?

While the exact individuals remain unidentified, security researchers link this campaign to a known threat group tracked as Hazy Hawk. This group specializes in subdomain takeovers, often for malvertising, SEO poisoning, and distributing malware. In this case, they are exploiting the forgotten CNAME records of university subdomains to host porn and fake tech support scams. Their motivation appears to be financial: the porn sites generate ad revenue, and the fake virus warnings (like “pay $50 to remove non-existent malware”) trick visitors into paying. The use of high-authority .edu domains helps their pages rank in search results, maximizing exposure to potential victims.

What are the risks beyond viewing porn?

Visitors to these hijacked pages face more than just explicit content. At least one scam page falsely claimed the visitor's computer was infected with malware and demanded a fee for removal—a classic tech support scam. Clicking links could lead to actual malware downloads, phishing pages, or unwanted adware. Additionally, the university's reputation suffers, as students, faculty, and the public lose trust in official communications. Search engines may also blacklist the domain entirely, affecting legitimate university services and email deliverability. The cybersecurity risk is real: this is a vector for distributing ransomware, trojans, or stealing credentials.

How can universities prevent subdomain hijacking?

The fix is straightforward but requires diligent housekeeping. IT administrators should regularly audit all DNS records, especially CNAME entries, to ensure every subdomain still points to an active, owned service. They should:

• Maintain a list of all subdomains and their intended services.
• Remove DNS records immediately when a third-party service is decommissioned or the subdomain is no longer needed.
• Use CAA records to restrict which certificate authorities can issue TLS certificates for their domains, making it harder for attackers to set up HTTPS.
• Monitor for suspicious DNS changes or reports of unusual content appearing on known subdomains.

Automated scanning tools can help identify orphaned CNAME records before attackers exploit them. Proactive maintenance is the key.

How widespread is the problem?

According to Alex Shakhov's research, the issue is extensive: hundreds of subdomains at over 30 universities are currently being abused. Google search results listed thousands of hijacked pages, suggesting that many more exist but remain undiscovered. The practice is not limited to universities—any organization that creates many subdomains and fails to clean up afterwards is vulnerable. However, universities are prime targets because of their high page rank (the .edu TLD is trusted by search engines) and the frequent creation of short-lived subdomains for conferences, courses, or projects. Without systemic change in DNS management, these attacks will continue.