Hundreds of University Subdomains Hijacked for Porn and Malware

TL;DR: Hundreds of subdomains belonging to at least 34 US universities are serving pornographic pages and malware after attackers seized dangling CNAME records. The hijacked sites include berkeley.edu, columbia.edu and washu.edu, with Google indexing thousands of the malicious pages.

Context: When a university creates a subdomain, administrators often add a CNAME record that points to an external host. If the subdomain is later decommissioned but the record is left unchanged, attackers can register the expired domain and serve any content under the trusted university name.

Key Facts: Researcher Alex Shakhov reported that hundreds of subdomains for at least 34 universities are abused. The affected institutions include the University of California, Berkeley, Columbia University, and Washington University in St. Louis. Google search results show thousands of hijacked pages linked to those domains, some delivering pornography and others pushing fake tech‑support scams.

What It Means: The abuse undermines the reputation of respected academic institutions and exposes visitors to unwanted explicit content and potential fraud. It also highlights a recurring gap in DNS hygiene that can be exploited for broader campaigns, including malware distribution or phishing.

Mitigations: Administrators should conduct regular DNS audits to identify and remove stale CNAME records. Implementing automated subdomain monitoring tools can alert teams when a record points to an external domain that no longer resolves to university‑controlled infrastructure. Enforcing strict change‑management processes for decommissioning services reduces the chance of dangling references. Defenders can also deploy detection signatures for known malicious payloads hosted on university subdomains and share indicators via trusted information‑sharing groups.

What to watch next: Expect threat actors to refine the tactic by targeting other organizations with lax DNS practices, and monitor for increased use of hijacked academic domains in spam or malware distribution campaigns.