Top university websites serve porn due to poor security hygiene
▼ Summary
– Prestigious university websites (berkeley.edu, columbia.edu, washu.edu) were found serving explicit porn and malicious content after scammers exploited poor record-keeping.
– Researcher Alex Shakhov discovered that hundreds of subdomains for at least 34 universities are being abused, with Google returning thousands of hijacked pages.
– The scammers, linked to the group Hazy Hawk, exploit decommissioned subdomains whose CNAME records were never removed by site administrators.
– When a subdomain expires, scammers register the base domain name and redirect it to their own content, including explicit pornography and scam sites.
– One hijacked page falsely claims a visitor’s computer is infected and demands payment to remove non-existent malware.
Some of the world’s most respected universities are unwittingly hosting explicit pornography and malicious content on their official websites. The cause, according to a recent security researcher, is not a sophisticated hack but a simple failure in basic digital housekeeping.
Domains belonging to UC Berkeley (berkeley.edu), Columbia University (columbia.edu), and Washington University in St. Louis (washu.edu) have been compromised. Hijacked subdomains, such as causal.stat.berkeley.edu and conversion-dev.svc.cul.columbia.edu, now redirect users to pornographic videos and, in at least one case, a fraudulent tech support scam that falsely claims a visitor’s computer is infected and demands payment for removal. Researcher Alex Shakhov of SH Consulting reports that hundreds of subdomains across at least 34 universities are being abused, with Google search results listing thousands of these compromised pages.
The vulnerability is surprisingly mundane. When university administrators commission a subdomain, they create a CNAME record that maps a URL to a specific IP address. When the subdomain is decommissioned,a routine event for temporary projects or expired services,the record is often left behind. This dangling CNAME record becomes a target. Scammers, including a group known as Hazy Hawk, simply register the expired domain name at the base of the old URL, effectively taking control of the university’s subdomain.
The result is a serious reputation and security risk for these institutions. A visitor expecting academic resources instead encounters explicit material or a scam site, damaging trust and potentially exposing users to malware. The problem highlights a widespread lack of DNS hygiene and subdomain management among even the most prestigious organizations. The fix is straightforward: systematically audit and remove outdated CNAME records. But the scale of the issue suggests that many universities are not paying close attention to what their digital properties are serving.
(Source: Ars Technica)