Websites for some of the world’s most prestigious universities are serving explicit pornography and malicious content after scammers exploited poor record-keeping by site administrators, a researcher found.
The affected sites included berkeley.edu, columbia.edu, and washu.edu—the official domains for the University of California, Berkeley, Columbia University, and Washington University in St. Louis.
Scammers created malicious subdomains such as:
- hXXps://causal.stat.berkeley.edu/ymy/video/xxx-porn-girl-and-boy-ej5210.html
- hXXps://conversion-dev.svc.cul.columbia[.]edu/brazzers-gym-porn
- hXXps://provost.washu.edu/app/uploads/formidable/6/dmkcsex-10.pdf
These links delivered explicit pornography and, in one case, a scam site falsely claiming a visitor’s computer was infected and demanding payment for non-existent malware removal.
According to researcher Alex Shakhov of SH Consulting, hundreds of subdomains across at least 34 universities have been abused. Google search results list thousands of hijacked pages linked to these compromised subdomains.
How the Hijacking Works
Shakhov explained that scammers—linked by another researcher to a group known as Hazy Hawk—are capitalizing on administrative oversights. When universities commission a subdomain like provost.washu.edu, they create a CNAME record to assign a URL to the hosting IP address. However, when the subdomain is later decommissioned, the record is often left unremoved.
Scammers then register the expired domain name at the base of the old URL, effectively hijacking the subdomain for malicious use.
Examples of Hijacked Subdomains
A handful of compromised columbia.edu subdomains were identified in Google search results, and one UC Berkeley subdomain redirected users to a malicious site.
“When the subdomain is eventually decommissioned—something that happens frequently for various reasons—the record is never removed. Scammers like Hazy Hawk then swoop in by registering the expired domain name at the base of the old URL.”
Related articles
OpenAI Integrates ChatGPT with Bank Accounts via Plaid for Financial Insights
ChatGPT will even know how much credit card debt you have. | Image: OpenAI Your trust in AI is about to be put to the test: OpenAI will soon let you g...
Fired IT Workers Accidentally Record Own Database Sabotage via Active Teams Call
Perhaps you remember Muneeb and Sohaib Akhter, the 34-year-old twin brothers we profiled earlier this week. Although they had the tech chops to commit...
Windows 11 BitLocker Bypassed by Zero-Day Exploit 'YellowKey' in Seconds
A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain compl...
Esports World Cup Relocates from Riyadh to Paris Amid Middle East Uncertainty
Uncertainty in the Middle East is apparently forcing the location change.
OpenAI Confirms No User Data Accessed in ChatGPT Mac App Security Breach
OpenAI found no evidence that user data was accessed.
Apple Supports Google Against EU’s Android AI Mandate, Citing Privacy Risks
The company agrees with Google that it would put European users' privacy and safety at risk.
How Windows Update Now Protects Your PC from Faulty Driver Updates
Hardware driver updates can be a blessing and a curse. When they're good, they can fix bugs, improve performance, and add new capabilities, giving you...
Meta Launches Incognito Chat with End-to-End Encryption for AI Conversations
Meta CEO Mark Zuckerberg says its new Incognito Chat is "the first major AI product where there is no log of your conversations stored on servers." Me...