HUNDREDS of subdomains from dozens of universities have been hijacked by scammers, with at least 34 universities affected, according to the researcher. The sites berkeley[.]edu, columbia[.]edu, and washu[.]edu are among those implicated, with subdomains such as causal.stat.berkeley[.]edu/ymy/video/xxx-porn-girl-and-boy-ej5210[.]html and provost.washu[.]edu/app/uploads/formidable/6/dmkcsex-10[.]pdf delivering explicit pornography or hosting scam content.
The root cause, as described by the researcher, is shoddy housekeeping and a clerical error: DNS CNAME records are created and never cleaned up, and there is no expiry date on a CNAME record. Scammers, possibly linked to the group tracked as Hazy Hawk, exploit these dangling records by registering the expired domain name at the base of the old URL.
The result is that the university’s name is hijacked, search results and Google indexing continue to point to the compromised subdomains, and inquiries to the universities involved did not receive responses before publication. According to Dan Goodin, the lesson is to compile a running inventory of all subdomains, regularly audit them, and remove CNAME records for any inactive subdomain.