Scammers have exploited poor record-keeping at top universities to hijack hundreds of subdomains, serving explicit pornography and malicious scams. Researcher Alex Shakhov identified at least 34 affected institutions, including UC Berkeley, Columbia University, and Washington University in St. Louis. The vulnerabilities arise from unremoved DNS CNAME records for decommissioned subdomains.
Alex Shakhov, founder of SH Consulting, recently uncovered that scammers, linked by another researcher to the Hazy Hawk group, have taken over subdomains on official university websites. Examples include causal.stat.berkeley.edu hosting porn videos, conversion-dev.svc.cul.columbia.edu linking to explicit gym content, and provost.washu.edu serving a scam PDF falsely claiming computer infections. Google search results show thousands of such hijacked pages ranking highly due to the universities' reputations. Google searches like site:berkeley.edu “xxx” reveal scores of these results, though some have been cleaned up recently. Shakhov explained the root cause: organizations create DNS CNAME records for subdomains but fail to delete them after decommissioning. “The root cause is simple: organizations create DNS records and never clean them up. There is no expiry date on a CNAME record. Nobody gets an alert when the target stops responding. And most university IT departments don’t maintain a comprehensive inventory of their subdomains and where they point,” Shakhov wrote. Universities' decentralized structures exacerbate the problem, with departments and labs creating subdomains independently without proper decommissioning processes. Shakhov recommends that organizations inventory all subdomains, audit for dangling records, and remove inactive CNAMEs. Only a few affected universities have acted, and some still show indexed pages in search results despite fixes. Inquiries to UC Berkeley, Columbia, and Washington University received no responses.