Hundreds of subdomains belonging to at least 34 of the world's most prestigious universities — including UC Berkeley, Columbia University, and Washington University in St. Louis — have been hijacked by scammers to serve explicit pornography and malicious content, a cybersecurity researcher revealed this week, exposing a systemic failure in how institutions manage their web infrastructure.
Cybersecurity researcher Alex Shakhov, founder of SH Consulting, disclosed that scammers have exploited dormant DNS records across dozens of elite university websites to host explicit material and scam pages under the trusted .edu domains of some of America's most recognisable academic institutions.
Affected subdomains include addresses on berkeley.edu, columbia.edu, and washu.edu — the official domains for the University of California, Berkeley, Columbia University, and Washington University in St. Louis respectively. Pages discovered under these domains range from explicit pornographic content to fake security alerts falsely warning visitors that their computers are infected and directing them to pay fees for non-existent malware removal. Google's search index has listed thousands of such hijacked pages.
A Simple Clerical Error with Serious Consequences
The vulnerability stems from routine administrative oversight rather than a sophisticated technical breach. When universities commission a subdomain, they create what is known as a CNAME (Canonical Name) record — a DNS entry that points the subdomain to an external hosting service or platform. When the subdomain is later decommissioned, as frequently happens when projects end or services change, administrators often remove the hosted content but neglect to delete the corresponding CNAME record.
This orphaned record creates what security professionals call a "dangling DNS" entry — a pointer that still exists in the domain's DNS configuration but no longer points to anything the university controls. Scammers, including a group separately identified by threat intelligence firm Infoblox as "Hazy Hawk," systematically scan for these abandoned records and register the now-vacant hosting endpoints, effectively claiming the subdomain for themselves.
Once claimed, the hijacked subdomain carries the full authority and search engine credibility of its parent .edu domain — making the malicious content far more likely to appear in search results and be trusted by unsuspecting users.
Scale of the Problem
Shakhov's research identified hundreds of compromised subdomains across at least 34 universities. The breadth of the problem suggests this is not an issue isolated to a handful of poorly managed institutions, but rather a widespread failure of DNS hygiene affecting even institutions with substantial IT resources.
The .edu top-level domain is particularly valuable to scammers because it carries an implicit air of academic legitimacy and tends to rank highly in search engine results. Search engines like Google generally extend greater trust to established educational domains, meaning hijacked pages can surface prominently for users searching for unrelated content.
The universities named in the report had not publicly commented at the time of publication. It is unclear how long the hijacked subdomains had been active before Shakhov's discovery, or how many users may have encountered the malicious content.
Analysis
Why This Matters
- Hijacked .edu subdomains can appear high in Google search results, meaning everyday users — including students and researchers — may unknowingly encounter pornographic or malicious content while conducting legitimate searches.
- The scam pages include fake virus warnings designed to extort money from visitors, representing a direct financial threat to users who trust the apparent legitimacy of a university web address.
- The scale of the problem — 34 universities, hundreds of subdomains — suggests this is a systemic industry-wide failure, not an isolated incident, and similar vulnerabilities likely exist in government and corporate domains.
Background
Dangling DNS vulnerabilities have been a known cybersecurity risk for over a decade. As organisations grow their web presence and adopt cloud services, the number of subdomains they manage can run into the hundreds or thousands. When projects conclude, teams disband, or vendors change, the associated DNS records are frequently left in place — a problem sometimes described as "subdomain sprawl."
The threat actor group Hazy Hawk, identified by Infoblox as being linked to this campaign, is a known actor that specialises in identifying and exploiting abandoned cloud resources and DNS records at scale. Rather than breaking into systems, the group's method relies entirely on finding infrastructure that organisations have effectively abandoned but not formally relinquished.
The .edu domain space is administered by Educause, a non-profit that restricts registration to accredited post-secondary institutions in the United States. This restriction historically gave .edu addresses a strong reputation for trustworthiness, making them a particularly attractive target for abuse when vulnerabilities arise.
Key Perspectives
Security Researchers: Alex Shakhov and the team at Infoblox argue this is a preventable problem. Standard DNS auditing practices — regularly reviewing CNAME records and removing entries that point to unregistered or unclaimed resources — would close the window of opportunity exploited by groups like Hazy Hawk.
Universities and IT Administrators: Large institutions managing thousands of subdomains across numerous departments face genuine logistical challenges in maintaining comprehensive DNS records. Without centralised oversight and automated auditing tools, orphaned records can easily go unnoticed for months or years, particularly when staff turnover occurs.
Critics/Skeptics: Some cybersecurity professionals argue that search engines like Google bear partial responsibility, noting that algorithms could be more aggressive in detecting and flagging anomalous content appearing under otherwise reputable domains. Others point out that cloud service providers could also do more to prevent unverified parties from claiming resources previously associated with established organisations.
What to Watch
- Whether Google and other search engines update their crawlers and ranking signals to more rapidly detect and deindex hijacked subdomain content under trusted domains.
- How quickly the named universities and others identified in Shakhov's research remediate their orphaned CNAME records, and whether Educause issues sector-wide guidance.
- Whether Hazy Hawk or similar groups expand this technique to government (.gov) or other high-trust top-level domains, which would significantly escalate the public risk.