The Shocking Truth Behind University Domains Serving Porn: A Cybersecurity Oversight

Imagine typing in a trusted university URL only to be greeted with explicit porn or a fake virus alert. This nightmare scenario is now a reality for visitors to subdomains of top universities like UC Berkeley, Columbia, and Washington University in St. Louis. According to cybersecurity researcher Alex Shakhov, this isn't a hack—it's a clerical error. Scammers are exploiting forgotten CNAME records left behind when subdomains are decommissioned, redirecting traffic to malicious content. The problem affects hundreds of subdomains across at least 34 universities worldwide, serving everything from pornography to tech support scams. Below, we break down the how, why, and what can be done.

How are scammers hijacking university subdomains to serve porn?

The technique relies on a simple oversight: when universities create subdomains (like provost.washu.edu), they set up a CNAME record pointing the subdomain to an external canonical domain. When the subdomain is no longer needed, administrators often delete the content but fail to remove the CNAME record. Scammers like the group tracked as Hazy Hawk scan for these orphaned records, then register the now-available canonical domain themselves. Once they control the destination, any traffic to the old subdomain—still directed by the CNAME—lands on their servers, which they fill with porn, malware, or fake tech support pages. To visitors, it looks like the university site is hosting the explicit material.

Which universities are affected and how widespread is the issue?

Shakhov's research uncovered problematic subdomains at 34 universities, including some of the most prestigious names globally. Confirmed examples cited in his report include causal.stat.berkeley.edu, conversion-dev.svc.cul.columbia.edu, and provost.washu.edu. Other affected institutions range from large public universities to private research powerhouses. A quick Google search for hijacked pages returns thousands of results, indicating the scale is far larger than a handful of incidents. Many of these subdomains were originally created for temporary projects or departmental sites that have since been abandoned but never properly cleaned up. Because the CNAME records persist, the vulnerability remains exploitable indefinitely.

What kind of malicious content do visitors encounter?

Victims of these hijacked subdomains are exposed to at least two types of harmful content. The most common is explicit pornography, often via URLs containing phrases like "xxx-porn-girl-and-boy" or embedded video from adult sites such as Brazzers. In another case, a PDF file hosted on a Washington University subdomain redirects to a scam website that falsely claims the visitor's computer is infected with malware and demands payment to remove it. This is a classic tech support fraud. The combination of porn and scam pages creates a double threat: visitors may be traumatized by unexpected adult content, or they may fall for the fake virus alert and lose money. The university's trusted domain name is what gives these scams legitimacy.

Who is behind these attacks and what is their goal?

Shakhov's investigation, supported by other researchers, points to a group tracked as Hazy Hawk. This organized operation specializes in recycling forgotten DNS records to hijack high-authority domains. Their primary goal appears to be financial gain: porn sites generate ad revenue, and tech support scams directly trick users into paying fees. By using .edu domains, which have high search engine trust, they get better rankings and more traffic than if they used their own shady domains. It's a form of SEO abuse combined with domain squatting. The group methodically scans for CNAME records pointing to deleted or expired external domains, then registers those domains before anyone else does. The attack requires minimal technical skill once the scanning infrastructure is set up.

What can universities do to prevent this type of hijacking?

The fix is straightforward but demands rigorous housekeeping. University IT teams must inventory all subdomains and their DNS records, then promptly delete CNAME records when a subdomain is decommissioned. Regular audits using automated tools can scan for orphaned records that point to domains no longer under control. Additionally, universities should restrict who can create CNAME records and require approval workflows for all subdomain registrations. Some institutions have begun implementing DNSSEC to add a layer of authentication, though this doesn't directly address orphaned records. The most immediate action is for each affected university to contact the domain registrar and reclaim any hijacked subdomains by removing the old CNAME and possibly creating a placeholder record. Shakhov emphasizes that this is not sophisticated hacking—it's basic cyber hygiene being neglected.

Are there any broader implications for internet security?

Yes, this issue highlights a fundamental weakness in how the internet trusts domain ownership. The CNAME hijacking technique works because DNS protocols assume that if a record exists, the domain owner still controls it. But when records are left behind, that assumption breaks. This flaw can be exploited not just for porn but for phishing, malware distribution, and brand impersonation at scale. Any organization—educational, governmental, or corporate—that fails to manage its DNS hygiene is vulnerable. The problem also shows that search engines like Google index these malicious pages quickly, making them accessible for days or weeks despite the explicit content. Greater collaboration between registrars, security researchers, and search engines is needed to detect and remove such abuse faster. In the meantime, users should be cautious when clicking links from university subdomains, even if the domain looks legitimate.