When you think of prestigious university websites like berkeley.edu, columbia.edu, or washu.edu, you probably imagine academic resources, research papers, and campus news—not explicit pornography or scam warnings. Yet a recent investigation uncovered that hundreds of subdomains belonging to at least 34 top-tier institutions are serving just that. Researcher Alex Shakhov exposed how scammers, tracked as the Hazy Hawk group, exploit a mundane administrative oversight: abandoned CNAME records. In this listicle, we break down the eight key revelations behind this disturbing trend, from the mechanics of the hijacking to the steps universities can take to protect their digital reputations.
1. The Scale of the Problem Is Massive
Shakhov discovered that hundreds of subdomains across at least 34 universities are being abused. Major names like the University of California, Berkeley, Columbia University, and Washington University in St. Louis appear on the list. Google search results displayed thousands of hijacked pages, proving the issue goes far beyond a few isolated mistakes. This isn’t just a minor inconvenience — it’s a systematic failure in digital housekeeping that attackers are exploiting on a global scale.
2. How Attackers Sneak In via CNAME Records
The technique hinges on a simple web standard: a CNAME (Canonical Name) record. When universities set up a subdomain (like provost.washu.edu), they create a CNAME that points to another domain. When the subdomain is decommissioned, administrators often forget to remove that record. Scammers “hijack” the orphaned record by registering the target domain themselves. Suddenly, a once-legitimate subdomain like causal.stat.berkeley.edu redirects to explicit content or malicious pages.
3. Hazy Hawk: The Group Behind the Hijackings
Separate research linked the attacks to a known threat actor called Hazy Hawk. This group specializes in repurposing abandoned web infrastructure—not just for porn, but also for scams and malware distribution. Their methods are efficient: they scan the web for leftover CNAME records pointing to unregistered domains, claim those domains, and then serve whatever content generates profit. In this case, they used the universities’ trusted domains to lend legitimacy to their operations.
4. Shoddy Record-Keeping Is the Root Cause
Shakhov emphasized that the vulnerability boils down to a clerical error. University IT teams create subdomains for temporary projects, events, or departments but rarely have a robust decommissioning process. Once a subdomain is no longer needed, the CNAME record remains in the DNS system indefinitely. This oversight transforms a tiny administrative slip into a security hole that bad actors can exploit for months or even years.
5. The Dangers Go Beyond Explicit Content
While many hijacked URLs lead to pornographic sites, some pose more serious threats. For example, provost.washu.edu hosted a fake security alert that claimed the visitor’s computer was infected with malware. It urged payment for a “fix”—a classic tech support scam. This shows that domain hijacking can enable identity theft, phishing, and financial fraud, all while wearing the mask of a trusted .edu address.
6. Specific Examples Illustrate the Breach
Concrete examples found by Shakhov include:
- causal.stat.berkeley.edu/ymy/video/xxx-porn-girl-and-boy-ej5210.html
A page delivering explicit adult content under Berkeley’s data science subdomain. - conversion-dev.svc.cul.columbia[.]edu/brazzers-gym-porn
A Columbia subdomain renamed to host adult material. - provost.washu.edu/app/uploads/formidable/6/dmkcsex-10.pdf
A Washington University provost subdomain pointing to a pornographic PDF.
These URLs demonstrate how quickly a legitimate academic resource can be misused.
7. Universities Aren’t the Only Targets—But They’re the Most Trusted
While domain hijacking can affect any organization, .edu domains are especially valuable because search engines and users trust them. A link from a university site passes authority, making it easier for scammers to appear legitimate. This trust factor is why Hazy Hawk focused on higher education—the payoff in traffic and credibility is higher than with generic domains.
8. Prevention Is Surprisingly Simple for IT Teams
The fix is straightforward: universities need a formal domain decommissioning policy. Whenever a subdomain is retired, the corresponding CNAME (and other DNS) records must be deleted. Regular audits of existing records can catch orphaned entries before attackers do. Shakhov recommends using automated tools to scan for abandoned DNS records and maintaining a clear inventory of all active subdomains. A small investment in housekeeping can prevent massive reputational damage.
Conclusion
The exposure of university domains to porn and scams is a wake-up call for every institution with a web presence. As our digital lives expand, even the most prestigious organizations must treat domain management as a critical security task. By understanding how CNAME hijacking works and implementing simple cleanup routines, universities can protect their good names—and their visitors—from exploitation. The next time you see a .edu link, remember: trust is built on vigilance.