Hijacked University Domains Flooding the Web with Porn and Malware, Researcher Warns

Breaking: Prestigious University Websites Hijacked to Serve Explicit Porn and Scams

Hundreds of subdomains belonging to top universities including UC Berkeley, Columbia, and Washington University in St. Louis are being exploited to host explicit pornography and malicious scam sites, a new investigation reveals. The compromised pages, discovered by security researcher Alex Shakhov, redirect unsuspecting visitors to pornographic content and, in at least one case, a fake malware alert demanding payment.

The affected subdomains include examples such as causal.stat.berkeley.edu/ymy/video/xxx-porn-girl-and-boy-ej5210.html, conversion-dev.svc.cul.columbia[.]edu/brazzers-gym-porn, and provost.washu.edu/app/uploads/formidable/6/dmkcsex-10.pdf. These pages serve explicit material and, in the case of the WashU subdomain, a fraudulent site claiming the visitor’s computer is infected and urging them to pay a fee for non-existent malware removal.

According to Shakhov, founder of SH Consulting, the exploitation affects at least 34 universities, with hundreds of subdomains abused overall. Google search results currently list thousands of these hijacked pages, which continue to be indexed and accessible.

Background: The CNAME Record Loophole

The attack hinges on a simple clerical oversight by university IT administrators. When a department or project creates a subdomain—like provost.washu.edu—they assign a CNAME record linking it to a canonical domain. When the subdomain is decommissioned, the CNAME record is often left in place, forgotten.

“This is basically shoddy housekeeping,” Shakhov said. “Scammers like the group we track as Hazy Hawk scan for these orphaned records and hijack them, registering the subdomain to their own servers.”

Once hijacked, the subdomain—still bearing the university’s trusted domain name—becomes a vehicle for hosting any content the attacker desires, from pornography to phishing pages. Shakhov noted that the same group has been linked to similar hijacking campaigns targeting other organizations.

What This Means: University Trust Under Siege

The abuse of .edu domains carries severe consequences. Visitors who encounter a compromised subdomain may conclude that the university endorses the content or that the institution’s security is fundamentally weak. This erodes public trust and exposes users to explicit material and scams without warning.

“When someone clicks on a link that seems to come from a prestigious university, they trust it,” Shakhov explained. “Hijackers exploit that trust to push malware, adult content, and fake tech support schemes.”

University IT teams now face an urgent cleanup task: auditing all subdomains, removing orphaned CNAME records, and implementing ongoing monitoring. Without these steps, the hijacking will continue, and the list of affected schools could grow. Learn more about how CNAME records are exploited.

Shakhov has already notified the affected universities, but full remediation may take time. Meanwhile, users are advised to double-check any university subdomain before clicking and to avoid engaging with unexpected redirects.