Hundreds of University Subdomains Hijacked to Host Porn and Malware Due to Poor DNS Housekeeping

TL;DR: Hundreds of subdomains from at least 34 U.S. universities were hijacked to serve pornography and malware after administrators left dangling CNAME records unremoved. Attackers registered the lapsed domains and pointed them to malicious servers.

Context: The hijacking campaign was uncovered by researcher Alex Shakhov of SH Consulting, who noted that scammers—linked to the threat group Hazy Hawk—are taking advantage of clerical errors in DNS record management. When a subdomain is decommissioned, its CNAME record often remains, allowing anyone to register the underlying domain and redirect traffic.

Key Facts: Shakhov reported hundreds of abusive subdomains across institutions such as berkeley.edu, columbia.edu, and washu.edu. Google search results reveal thousands of compromised pages, including explicit video links and fake tech‑support scams that claim a visitor’s computer is infected and demand payment for non‑existent fixes.

What It Means: The abuse leverages a classic subdomain takeover technique (MITRE ATT&CK T1087.003) that relies on stale DNS records rather than software vulnerabilities. No specific CVE is involved; the risk stems from operational gaps in DNS lifecycle management.

Mitigations: Organizations should conduct regular DNS audits to identify and delete orphaned CNAME records, implement automated alerts for record changes, enforce strict subdomain retirement procedures, and consider using DNS monitoring services that flag dangling references. Enforcing DNSSEC and maintaining an inventory of all subdomains can further reduce exposure.

Watch for: Continued scanning of university DNS zones by threat actors and potential expansion of similar hijacks to other sectors with large, decentralized web presences.