Skip to content
Hazy Hawk swoops in

Why are top university websites serving porn? It comes down to shoddy housekeeping.

Hundreds of subdomains from dozens of universities have been hijacked by scammers.

Dan Goodin | 57
Red neon light of triple X's.
Credit: ssuaphoto | iStock / Getty Images Plus
Credit: ssuaphoto | iStock / Getty Images Plus
Story text

Websites for some of the world’s most prestigious universities are serving explicit porn and malicious content after scammers exploited the shoddy record-keeping of the site administrators, a researcher found recently.

The sites included berkeley.edu, columbia.edu, and washu.edu, the official domains for the University of California, Berkeley, Columbia University, and Washington University in St. Louis. Subdomains such as hXXps://causal.stat.berkeley.edu/ymy/video/xxx-porn-girl-and-boy-ej5210.html, hXXps://conversion-dev.svc.cul.columbia[.]edu/brazzers-gym-porn, and hXXps://provost.washu.edu/app/uploads/formidable/6/dmkcsex-10.pdf. All deliver explicit pornography and, in at least one case, a scam site falsely claiming a visitor’s computer is infected and advising the visitor to pay a fee for the non-existent malware to be removed. In all, researcher Alex Shakhov said, hundreds of subdomains for at least 34 universities are being abused. Search results returned by Google list thousands of hijacked pages.

A handful of hijacked columbia.edu subdomains listed by Google
A handful of hijacked columbia.edu subdomains listed by Google
One of the sites redirected by a UC Berkeley subdomain.
One of the sites redirected by a UC Berkeley subdomain.

Hijacking a university’s good name

Shakhov, founder of SH Consulting, said that the scammers—which a separate researcher has linked to a known group tracked as Hazy Hawk—are seizing on what amounts to a clerical error by site administrators of the affected universities. When they commission a subdomain such as provost.washu.edu, they create a CNAME record, which assignes a subdomain to a “canonical” domain. When the subdomain is eventually decommissioned—something that happens frequently for various reasons—the record is never removed. Scammers like Hazy Hawk then swoop in by hijacking the old record.

With that, they have now hijacked that university’s subdomain. Given the reputations universities have, search queries then flow to the top of Google’s results.

Shakhov wrote:

The root cause is simple: organizations create DNS records and never clean them up. There is no expiry date on a CNAME record. Nobody gets an alert when the target stops responding. And most university IT departments don’t maintain a comprehensive inventory of their subdomains and where they point.

This is compounded by how universities operate—they are highly decentralized. Individual departments, labs, research groups, and student organizations can often request subdomains independently. When people leave, there is no decommissioning process for the DNS records they created.

Finding hijacked subdomains is straightforward. People need only enter site:[university].edu “xxx” or site:[university].edu “porn” for an affected institution, and scores of results will appear. In some cases, the subdomains returned no longer lead to porn sites, but as of Friday morning, many still did.

The lesson here is clear: Any organization with a website should compile a running inventory of all subdomains along with the purpose of each one and its corresponding CNAME record. Then staff should regularly audit the list in search of “dangling” records, meaning those that remain even after the official subdomain has gone dark. Any subdomain found to be inactive should have its CNAME removed.

Clearly, many universities and other organizations are flouting this common-sense practice. Shakhov said only a handful of the affected universities have expunged dangling CNAME records since he went public with his findings earlier this month. Even then, several of them have failed to get the URLs delisted by Google. That results in the indexed remaining visible in search results. Inquiries sent to UC Berkeley, Columbia, and Washington University didn’t receive responses before publication.

Post updated to fix definition of CNAME records.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
57 Comments
Staff Picks
Waco
Waco
Reading the headline, I figured this was that the universities determined that about 90% of its traffic consisted of porn downloads by the student body and decided to cut out the middleman and cache it all locally to take the load of the network infrastructure.
While it wasn't porn - back in college we had a server that was a collection of everything except porn (it was our one rule). Games, movies, tv show, etc.

The university noticed that 99% of the bandwidth in the building was used by that one port in one dorm room.

...they gave us a 10G uplink to the core switch. The number of complaints directed at the university ISP inversely correlated with the rise in use of that server so they hooked us up. :p

It's also how I got into doing resilient and performant HPC storage as my day job...so it was a huge win.
YetAnotherAnonymousAppellation
YetAnotherAnonymousAppellation
Just checked my Canadian alma mater and got plenty of hits. I'm going to email the admins and suggest that they might want to look into this. It might not affect their overall bandwidth usage much as they've got ~100k students and staff these days.
Prev story
Next story