Universities struggle with abandoned subdomains fueling porn scams

Public websites for some of the world’s leading universities have become unwitting gateways for explicit content and malicious schemes, all due to a persistent oversight in digital housekeeping. A recent investigation revealed that subdomains under domains such as berkeley.edu, columbia.edu, and washu.edu are redirecting visitors to pornographic and fraudulent pages. These hijacked routes appear to exploit outdated or abandoned subdomains that administrators failed to properly deactivate.

Cybersecurity researcher Alex Shakhov, who uncovered this pattern, noted that the scale of the issue extends beyond isolated incidents. According to his findings, at least 34 universities have had hundreds of their subdomains compromised in this manner. Search engine results further expose the scope, with thousands of hijacked pages surfaced by Google alone. In one case, a hijacked University of California, Berkeley subdomain led to a fraudulent site claiming a user’s device was infected with malware and demanding payment for a bogus cleanup.

How expired subdomains become weapons for scammers

The mechanism behind these breaches hinges on a common administrative oversights: the mishandling of CNAME records. When universities create a subdomain like provost.washu.edu, they generate a CNAME record to link that subdomain to the server hosting its content. However, once the subdomain is no longer needed—whether due to project completion, restructuring, or other reasons—the record often remains in place. Scammers monitor these dormant entries and register the expired subdomains as soon as they become available.

Shakhov’s analysis suggests the operation may be linked to a known fraudulent group identified as Hazy Hawk. This group has been previously documented by threat intelligence platforms for deploying similar tactics across multiple sectors. By repurposing abandoned university subdomains, Hazy Hawk and other actors can lend an air of legitimacy to their scams, exploiting the trust associated with prestigious academic institutions.

The broader implications of digital hygiene failures

University websites are not alone in facing this challenge. Organizations across sectors frequently struggle with maintaining accurate domain infrastructure, leaving gaps that malicious actors exploit with ease. The consequences extend beyond reputational damage; compromised subdomains can serve as entry points for phishing campaigns, malware distribution, and other cyber threats. In the case of universities, the impact is magnified by their public-facing nature and the high traffic to their domains.

Experts emphasize that proactive domain management is critical to mitigating such risks. Regular audits of DNS records, prompt removal of unused subdomains, and monitoring for suspicious registrations can significantly reduce exposure. Yet, as the current situation demonstrates, many institutions still fall short in implementing these basic safeguards.

What universities can do to reclaim control

Institutions looking to address this issue should prioritize a structured approach to domain governance. This includes establishing clear protocols for subdomain creation and decommissioning, automating DNS record cleanup, and implementing continuous monitoring for unauthorized changes. Collaboration between IT teams and security personnel is essential to ensure that no outdated paths remain open to exploitation.

For the average user, the lesson is clear: exercise caution when encountering links from trusted domains, especially those leading to unexpected or suspicious content. While universities work to resolve these vulnerabilities, vigilance remains a key defense against falling victim to these deceptive practices.

As digital threats evolve, the responsibility to maintain robust online infrastructure grows increasingly urgent. Universities, in particular, must treat domain hygiene as a critical component of their cybersecurity strategy—not an afterthought.