Web sites for a number of the world’s most prestigious universities are serving explicit porn and malicious content after scammers exploited the shoddy record-keeping of the location administrators, a researcher found recently.
The sites included berkeley.edu, columbia.edu, and washu.edu, the official domains for the University of California, Berkeley, Columbia University, and Washington University in St. Louis. Subdomains akin to hXXps://causal.stat.berkeley.edu/ymy/video/xxx-porn-girl-and-boy-ej5210.html, hXXps://conversion-dev.svc.cul.columbia[.]edu/brazzers-gym-porn, and hXXps://provost.washu.edu/app/uploads/formidable/6/dmkcsex-10.pdf. All deliver explicit pornography and, in a minimum of one case, a scam site falsely claiming a visitor’s computer is infected and advising the visitor to pay a fee for the non-existent malware to be removed. In all, researcher Alex Shakhov said, tons of of subdomains for a minimum of 34 universities are being abused. Search results returned by Google list hundreds of hijacked pages.
A handful of hijacked columbia.edu subdomains listed by Google
One in every of the sites redirected by a UC Berkeley subdomain.
One in every of the sites redirected by a UC Berkeley subdomain.
Hijacking a university’s good name
Shakhov, founding father of SH Consulting, said that the scammers—which a separate researcher has linked to a known group tracked as Hazy Hawk—are seizing on what amounts to a clerical error by site administrators of the affected universities. After they commission a subdomain akin to provost.washu.edu, they create a CNAME record, which assignes a subdomain to a “canonical” domain. When the subdomain is eventually decommissioned—something that happens steadily for various reasons—the record is rarely removed. Scammers like Hazy Hawk then swoop in by hijacking the old record.
With that, they’ve now hijacked that university’s subdomain. Given the reputations universities have, search queries then flow to the highest of Google’s results.